Skip to main content

Full text of "The administration's clipper chip key escrow encryption program : hearing before the Subcommittee on Technology and the Law of the Committee on the Judiciary, United States Senate, One Hundred Third Congress, second session ... May 3, 1994"

See other formats

S. Hrg. 103-1067 


Y 4. J 89/2: S. HRG. 103-1067 

The ftdninistratioB's Clipper Chip K. . . LiNVJ 

_ PHE 







MAY 3, 1994 

Serial No. J-103-55 

Printed for the use of the Committee on thO^*ii<nary 



20-186 CC WASHINGTON : 1995 

For sale by the U.S. Government Printing Office 
Superintendent of Documents. Congressional Sales Office, Washington, DC 20402 
ISBN 0-16-047780-8 

J S. Hrg. 103-1067 


Y 4. J 89/2; S. HRG, 103-1067 

Tfce ftdninistration's Clipper Chip K. . . 









MAY 3, 1994 

Serial No. J-1 03-55 

Printed for the use of the Committee on t: 






For sale by the U.S. Government Printing Office 
Superintendent of Documents, Congressional Sales Office, Washington, DC 20402 
ISBN 0-16-047780-8 


JOSEPH R. BIDEN, Jr., Delaware, Chairman 
EDWARD M. KENNEDY, Massachusetts ORRIN G. HATCH, Utah 









Cynthia C. Hogan, Chief Counsel 

Catherine M. Russell, Staff Director 

Mark R. Disler, Minority Staff Director 

Sharon Prost, Minority Chief Counsel 

Subcommittee on Technology and the Law 

PATRICK J. LEAHY, Vermont, Chairman 
HERBERT KOHL, Wisconsin ARLEN SPECTER, Pennsylvania 


Bruce Cohen, Chief Counsel /Staff Director 
Richard Hertling, Minority Chief Counsel 





Leahy, Hon. Patrick J., U.S. Senator from the State of Vermont 1 

Murray, Hon. Patty, U.S. Senator from the State of Washington 16 


Panel consisting of Jo Ann Harris, Assistant Attorney General, Criminal 
Division, U.S. Department of Justice; and Rajmiond G. Kammer, Deputy 
Director, National Institute of Standards and Technology 3 

Panel consisting of Whitfield Diffie, engineer and cryptographer, Sun 
Microsystems, Inc., Mountain View, CA, on behalf of the Digital Privacy 
and Secxirity Working Group; and Stephen T. Walker, president, Trusted 
Information Systems, Inc., Glenwood, MD 33 


Diffie, Whitfield: 

Testimony 33 

Prepared statement 37 

Harris, Jo Ann: 

Testimony 3 

Prepared statement 13 

Kammer, Raymond G.: 

Testimony 17 

Prepared statement 19 

Leahy, Hon. Patrick J.: Testimony 1 

McConnell, Admiral J.M.: 

Testimony 95 

Prepared statement 103 

Murray, Hon. Patty: 

Testimony 16 

Prepared statement 16 

Walker, Stephen T.: 

Testimony 42 

Prepared statement 46 

Attachment I: Encrjrption production identified as of Apr. 22, 1994 62 

Attachment II: Compames manufacturing and/or distributing cryp- 
tographic products worldwide 76 


Additional Submissions for the Record 

Prepared statements of: 

Computers and Business Equipment Manufacturers Association 107 

United States Council for International Business 112 

Crypto Policy Perspectives: 

Composed by Susan Landau, Stephen Kent, CUnt Brooks, Scott Chamey, 
Dorothy Denning, Whitfield Diffie, Anthony Lauck, Douglas Miller, 

Peter Neumann, and David Sodel 114 

Time/CNN poll conducted. Mar. 2-3, 1994 123 




Questions and Answers 

Questions to Jo Ann Harris from: 

Senator Leahy 127 

Senator Pressler 133 

Senator Murray 134 

Additional remarks of Jo Ann Harris 134 

Questions to NIST from: 

The Senate Subcommittee on Technology and the Law 138 

Senator Murray 144 

Senator Pressler 144 

Questions to Whitfield Diffie from the Senate Subcommittee on Technology 

and the Law 144 

Letters fi*om Whitfield Diffie on behalf of Sun Microsystems Computer 
Corp., May 23, 1994, to: 

Senator Murray 147 

Senator Leahy 148 

Questions to Stephen T. Walker fi-om the Senate Subcommittee on Tech- 
nology and the Law 148 

Questions to Admiral J.M. McConnell fi*om: 

The Senate Subcommittee on Technology and the Law 152 

Senator Pressler 153 

Senator Murray 154 


TUESDAY, MAY 3, 1994 

U.S. Senate, 
Subcommittee on Technology and the Law, 

Committee on the Judiciary, 

Washington, DC. 

The subcommittee met, pursuant to notice, at 9:39 a.m. in room 
G50, Dirksen Senate Office Building, Hon. Patrick J. Leahy (chair- 
man of the subcommittee), presiding. 

Present: Senators Specter, Pressler, and Murray [ex officio]. 


Senator Leahy. Good morning. We are holding today's hearing 
for a number of reasons. The administration is implementing a con- 
troversial program to enable the government to decode any tele- 
phone, fax, or computer communication that is encrypted with a 
special computer chip called Clipper Chip. In doing so, and I under- 
stand the reasons for this, the administration has responded to the 
alarm bells that were sounded by our law enforcement and intel- 
ligence agencies. They are struggling to keep pace with emerging 
telecommunications technologies that make it easier to encrypt 
messages and evade lawful wiretaps. 

Incidentally, the administration, has stressed, and I am sure will 
in testimony today, the security of Clipper Chip. The price for this 
security is that two Federal agencies will hold a duplicate set of 
keys to decode any communication encrypted with the Clipper Chip 
before any wiretap order has been issued. 

Now, before American citizens and potential customers of Amer- 
ican computer and telecommunications products will see this as the 
solution to privacy or security concerns, they have got to be assured 
that iron-clad procedures are in place. We have got to be able to 
guarantee that, absent a court order, no one is going to be able to 
decode their private communications except, of course, the person 
they want to. Othenvise, even law-abiding users are not going to 
want to use encr3rption devices with Clipper Chip. 

We are going to see demonstrations of how encryption works and 
we are going to hear from government witnesses, experts and crit- 
ics of Clipper Chip. I would note, that a recent Time/CNN poll indi- 
cated that 80 percent of the American people oppose this program, 
so I would hope that the public might get a chance to hear more 
about it today. 


Admiral McConnell, I want to thank you for your willingness to 
be here. I understand that, as we have discussed before, you have 
to limit your public remarks out of concern for national security. 
A second part of this hearing will be held in a secure room so that 
we can hear the remainder of your remarks. 

Now, our Constitution requires that we strike a balance between 
an individual's right to be left alone and conduct his or her own 
affairs without government interference, and our interest in a se- 
cure and safe society. The Clinton administration's Clipper Chip 
may be seen as a solution by the law enforcement and intelligence 
agencies, but it raises a whole lot of questions for its potential 
users about whether it tips that fundamental balance. 

I have got to tell you I have some real questions about whether 
any sophisticated criminal or terrorist organization is going to use 
the one code endorsed by the U.S. Grovernment and for which U.S. 
Government agents hold the decoding keys, especially when there 
are a number of alternative encryption methods commercially 
available, including one I read was just recently sent out over the 

I am concerned about the Clipper Chip's impact on the competi- 
tiveness of our robust high-tech industries. We have got to ensure 
that it does not impede American companies trying to market high- 
tech products overseas. The administration's steps to reform some 
export restrictions on encryption and telecommunications tech- 
nology is welcome, but we have to talk about that. 

I would note that we are talking today about Clipper Chip and 
not about digital telephony. Many get the two mixed up, and, in 
a way, some of the political questions are the same. In digital te- 
lephony, the question is whether we will be able to hold up ad- 
vances in communications technology until the Justice Department 
can be assured that they have a way of conducting lawful wiretaps 
on that. 

The administration is asking the same thing with Clipper Chip: 
That we not be allowed to develop and export encryption devices 
until the government is given the keys to be able to decode 
encrjrpted messages under appropriate standards and court orders. 

My concern, I have got to tell you frankly, is what happens if we 
say that the Federal Government is empowered to sign off on tech- 
nology and technology may not go forward until they do. It bothers 
me very much because my experience with the Federal Govern- 
ment has been that in the areas of computers and telecommuni- 
cations the Federal Government has carefully and assiduously 
stayed at least 10 to 20 years behind the curve on just about every- 

You can make a better and clearer telephone call from the Wash- 
ington-to-New York shuttle than you can from Air Force 1, with all 
its expensive equipment. Most telephone systems of the Federal 
Government, as installed, have been antiquated. The only distinc- 
tion is they usually pay far more than they would if they just 
bought it off the shelf You see the FAA struggling with a computer 
system where they have to buy tubes from eastern European coun- 
tries because nobody with advanced technology even makes the 
dam things anymore. 

If this is the same government that will sign off on when we go 
forward, I can see the United States being in the backwash of com- 

Euter and telecommunications technology. I don't want to see that 
appen. I suspect that none of the witnesses from the government 
want to see that happen either. 

So we have two problems, really. We have the problem of those 
who are concerned about what Clipper Chip might do to our tech- 
nological competitiveness in this country and, of course, we have 
the further problem, as pointed out by the 80 percent of the people 
who responded that way in the Time/CNN poll, of privacy. 

The information superhighway holds the promise of an informa- 
tion explosion that is going to enhance our marketplace of ideas, 
bringing untold benefits to our citizens. But this promise will be an 
empty one unless people are sure that when they go online or talk 
on the phone they are not forfeiting important fundamental rights, 
like their right to privacy. 

New technologies present enormous opportunities for Americans, 
but we have got to strive to safeguard our privacy if these tech- 
nologies are to prosper in this information age. Otherwise, in the 
service of law enforcement and intelligence needs, we are going to 
dampen any enthusiasm Americans may have for taking advantage 
of the new technology. 

I come from a law enforcement background. I spent 8 years on 
the Senate Intelligence Committee and continue to be involved 
with intelligence agencies through my Appropriations Committee 
hat. I understand the tremendous problems, especially with orga- 
nized crime, that law enforcement faces, and the tremendous prob- 
lems, especially with terrorism and the potential threat of terror- 
ism, that our intelligence agencies face. But I also know that this 
country has to survive economically, and one of the ways we do so 
is the fact that we have been able to have certain technological ad- 
vances. I don't want that to change. 

We will go first, Ms. Harris, to you, and then to Mr. Kammer, 
who is going to do a demonstration. Ms. Harris is Assistant Attor- 
ney General of the Criminal Division at the Department of Justice, 
and I am delighted you are here. 



Ms. Harris. Thank you, Mr. Chairman, and thank you for the 
opportunity to talk with you about the key escrow encryption con- 
cept. In particular, I want to talk about balancing the public's right 
to the best protection that technology can provide for legitimate 
communications — balancing that with the public's right to be pro- 
tected from criminals and terrorists, and I want to talk about how 
we can maintain the balance in this age when technology is, as you 
have noted, exploding all around us. 

As I know you understand, many groups engaged in the most se- 
rious and violent criminal conduct, including drug traffickers and 
organized crime groups, major street gangs and terrorist groups. 

must have a means of communicating quickly, over distance, with 
each other. They rely on telephonic communications to conduct 
their illicit activities, and at this time the law permits law enforce- 
ment to obtain court orders to tap into these criminal conversations 
upon, of course, a stringent showing of necessity and a showing of 
probable cause that the communications are criminal in nature. 

Even though we use that power very sparingly, our ability to 
hear and, importantly, to understand these conversations has been 
crucial to effective law enforcement. Evidence from electronic sur- 
veillance has resulted in the convictions of, we estimate, 22,000 fel- 
ons in the last decade. 

As a Federal trial lawyer specializing in criminal cases, I can tell 
you from plenty of first-hand experience and knowledge that some 
of the most powerful evidence I have ever seen or heard in court 
against these criminals are recordings of their own words directing 
their criminal enterprises in a way that a jury can understand. 

Further, I know from experience recently that authorized wire- 
taps have not only caught and convicted criminals, they have saved 
lives, including kidnaping victims and targets of terrorist activities. 
For example, in four separate instances in the very recent past, law 
enforcement has obtained critical information about the identity of 
kidnapers who were threatening immediate harm to hostages. Law 
enforcement has learned the location of the hostages and was able 
to move-in and rescue the hostages before harm was done. These 
are fast-moving scenarios where our ability to get up on a wiretap 
and understand the content of the conversations in realtime is ab- 
solutely critical. 

With court-authorized interception of telephone conversations, we 
have penetrated the highest levels of mob activity, narcotics traf- 
ficking. We have brought down whole organizations. Cases come to 
mind that everyone, I think, has heard of. The Pizza Connection 
case, the Commission case, the Hererra-Botrega case involving the 
Call cartel, are just examples of the power of the wiretap as a law 
enforcement tool, and it is not limited to just mobs and drugs. Op- 
eration III Wind, for example, was a Defense procurement fraud 
case in which wiretaps led to 45 search warrants, 60 convictions, 
hundreds of millions of dollars recovered in fines. 

In addition, wiretaps have helped us prosecute child pornography 
cases, murder-for-hire schemes. They have permitted us to make 
seizures of tons of illicit drugs, helped us follow and seize the illicit 
millions of dollars made by traffickers, without compromising ongo- 
ing investigations. 

But, Mr. Chairman, the ability to intercept these communica- 
tions is only the first step. We must have the ability to understand 
the content of these lawfully authorized wiretaps in order to act. 
If we intercept illicit communications in a foreign language, we 
need to bring in a translator who knows the language. If the lan- 
guage is guarded, as it frequently is in these intercepted criminal 
conversations, we need to bring in an expert to tell us what it 

Critical to my point here is if intercepted criminal conversations 
are encrypted, we need the ability to cut through the encryption, 
just as we need a translator to cut through the foreign language. 
If we can't cut through the encryption in the coming age of tech- 

nology, law enforcement efforts will be seriously hampered. This 
ability to understand the words that we are lawfully intercepting 
pursuant to court order is all we seek with the Clipper Chip, no 
less and no more. 

Mr. Chairman, the plain fact is, as you have noted, that high- 
quality voice encryption in an affordable, portable, easy to use form 
will soon be widely available on the market. We anticipate that 
many legitimate users will acquire these and similar devices with 
the perfectly legitimate goal of protecting their personal and busi- 
ness confidential information. We worry, however, that such de- 
vices will also be used by criminal organizations to shield their ille- 
gal enterprises. 

Mr. Chairman, last year, as you know, the Clinton administra- 
tion, looking ahead to the future, trying to stay ahead of the curve, 
sought to address both of these important issues — the protection of 
legitimate communications without losing our ability to intercept 
criminal communications with key escrow encryption. 

Key escrow encryption has two fundamental features. First, on 
the encrjrption side, to protect communications it uses a very strong 
algorithm, so strong that it can only be decrypted with a key that 
is unique to each individual key escrow encryption chip. Second, on 
the decryption side, to ensure the public of the privacy afforded by 
the key escrow encrjrption, this unique key is split into two compo- 
nents, each held by one of two independent entities serving as es- 
crow agents. Those two entities are not permitted to release key 
components except to government agencies and, importantly, only 
to government agencies when they are already authorized by law 
to intercept the communications. 

Mr. Chairman, we have worked to develop procedures that strike 
the right balance between the rigorous protection of the privacy of 
communications and the need in critical moments to be able to 
decrypt such communications in order to protect lives and preserve 
the public safety. 

Clipper Chip key escrow encryption provides a combination of 
procedural requirements, technical safeguards and audit capabili- 
ties which will assure the integrity of the Key Escrow Encryption 
System without frustrating the ability of government agencies to 
understand encrypted communications in the course of lawful wire- 

Senator Leahy. What happens if it is misused? Is there any re- 
course by somebody whose communication was intercepted? Sup- 
pose it was misused. We always assume law enforcement does 
these things according to court order, but we know that there has 
been misuse of taps before. What if that happened under this? Is 
there any way we can go back against the person? I understand the 
Attorney General has suggested that the escrow agents be immune 
from liability for mishandling the keys. Is that a good idea? 

Ms. Harris. If I may, Mr. Chairman, first address the unlikeli- 
hood of that ever happening, given the protections built into the 

Senator Leahy. Let us assume the unlikelihood for the purposes 
of my question. Assume the unlikelihood that it were to happen; 
unlikely things sometimes do. After 20 years in this branch of the 
Federal Government, I have seen an awful lot of unlikely things 

happen. I have seen Presidents declare that no money was diverted 
to the contras. I have seen statements before the Persian Gulf War 
that were false, and the American people spent $1.9 billion on for- 
eign aid to Saddam Hussein as a result of misstatements to the 
American public. 

I mean, things do happen, so let us just assume that one time 
out of a gazillion something went wrong. Is the Attorney Greneral 
right in sa)dng that the escrow agents should be immune from li- 
ability for mishandling the keys? 

Ms. Harris. Mr. Chairman, I am not sure that the Attorney Gen- 
eral has made such a statement with respect to immunity. 

Senator Leahy. What she said was the procedures do not create 
and are not intended to create any substantive rights for individ- 
uals intercepted through electronic surveillance. 

Ms. Harris. All right. They are not intended to create any sub- 
stantive rights for people intercepted any more than the present 
wiretap laws are intended to create substantive rights for people 
who are unlawfully intercepted. We are building in such protec- 
tions that I find it unlikely this will happen, but let me say this, 
Mr. Chairman. It is a violation of Federal law right now illicitly to 
wiretap. We take that law very seriously. We will enforce that law. 

Senator Leahy. Would it be a violation of the same Federal law 
illicitly to use the Clipper chip keys? 

Ms. Harris. I would have to look at it more carefully. 

Senator LEAHY. Should it be? 

Ms. Harris. Sorry? 

Senator Leahy. Would you see any problem in applying the same 
law to the misuse of Clipper chip keys as we apply to the misuse 
of wiretap today? 

Ms. Harris. If, in fact, in the course of an illicit electronic sur- 
veillance, somehow a person got ahold of both aspects of the Clip- 
per Chip, had the decryption device so that things were fed into it 
and somehow they were able to break into this system, it is unlaw- 
ful to participate in illicit electronic surveillance. It depends on the 
facts of the case beyond that, Mr. Chairman, but I believe that if 
that occurs it is going to violate the law. 

Senator Leahy. Ms. Harris, a concern about Clipper Chip is that 
the government has the keys to that. But there are other 
encr3T)tion systems that are pretty good now, are there not, that 
you as the head of the Criminal Division are faced with? 

Ms. Harris. My understanding is that the Clipper Chip is so 
much more powerful than anything available at this time that the 
Clipper Chip is a spectacular way of encrypting conversations. 
There are certainly other devices on the market now. 

Senator Leahy. What about Pretty Good Privacy, PGP? There 
was an article about that in the Wall Street Journal last week. And 
the Wall Street Journal, at least on their news items, are usually 
pretty accurate. Their editorials are written on a different planet. 

But in their article, they suggest if I recollect it correctly, that 
PGP is just about impossible to break. Is that right? 

Ms. Harris. Well, the interesting thing about that particular de- 
vice, as I understand it, is that it is software in a computer and 
does not reach phone bands; that is, voice bands, which is what 

Clipper Chip is all about. I mean, what Clipper Chip is involved 
with is the encryption and decryption of the voice band. 

Senator Leahy. But that would be fairly easy to do. I mean, if 
much of our voice communications are now being digitized anyway, 
wouldn't it be fairly easy to run this through a computer program 
if somebody wanted to? If you can build it for data transmission in 
Pretty Good Privacy, wouldn't it be fairly easy to do it, or assume 
that that is going to be done within a relatively short time for voice 

Ms. Harris. My understanding is that it is ever so much more 
complicated to do this with voice band, but I defer to the experts 
who are with me on the technology here. 

Senator Leahy. Well, let me ask you this question. I read an ar- 
ticle about a convicted pedophile in California who used Pretty 
Good Privacy to encrypt his computer diary, which frustrated the 
police, who thought the computer diary might contain clues about 
a child pornography ring, something that I think all of us would 
agree that if law enforcement could find out about such a thing, we 
would want them to be able to take action. 

Have you seen many such instances of encrypted communica- 

Ms. Harris. Well, let me again address the child pornography 
case in California, which I think is the Wall Street Journal article, 
and just underline that that is computer software and that is not 
what we are talking about here. What I am talking about is our 
ability to understand intercepted voice communications at a time 
when we already have the court orders to intercept it, and 

Senator Leahy. Well, let us 

Ms. Harris. I am sorry, Mr. Chairman. 

Senator Leahy. No, no; go ahead. 

Ms. Harris. I was going to then answer your question. The fact 
is that at this particular point in time law enforcement has not 
been frustrated by, or significantly frustrated by voice band 
encryption. My point is, and you certainly underlined it in your re- 
marks, Mr. Chairman, that we are trying to anticipate and get 
ahead of the curve on this particular subject because we under- 
stand the significance to law enforcement if, in fact, encryption de- 
vices as powerful as Clipper Chip are out there without our ability, 
under very circumscribed circumstances, to intercept and under- 
stand criminal conversations. 

Senator Leahy. We are going to demonstrate for you here a 
laptop computer with a computer software that encrypts voice com- 
munications. I appreciate what you said about the administration 
wanting to be ahead of the curve and I think in a lot of these com- 
munications and computer matters this administration has worked 
to get ahead of the curve. But don't think that Clipper Chip is just 
going to be used in normal straight voice communications because 
people can put these encryption devices through their computers 
and run it that way. 

What I would ask is, about 900 wiretaps are conducted annually? 

Ms. Harris. I think the figure in 1992, which is the last time we 
have figures, is 919. 

Senator Leahy. Did many of them involve encrypted conversa- 


Ms. Harris. The short answer is no. Our concern is clear, Mr. 
Chairman, that if these devices explode on the market, as we be- 
lieve they will, we will begin to be truly frustrated and unable to 
read criminal conversations. 

Senator Leahy. We are talking about the Clipper Chip. Why 
would a criminal organization or a terrorist organization buy some- 
thing that has Clipper Chip in it for their encryption when they 
can buy other non-govemment-authorized systems that are also 
going to be extraordinarily difficult to crack, and perhaps impos- 

Ms. Harris. There are two answers to that, Mr. Chairman, and 
the first is — and this is just so true. I mean, why do they use tele- 
phones now? I mean, we are able to intercept and obtain invaluable 
evidence with court-authorized wiretaps because those kinds of or- 
ganizations, knowing that we tap, continue to use the telephones. 

I think the second answer to your question is that this is not 
easy, but our sense is that the Clipper Chip technology is so far 
advanced than anything else on the market or anything coming 
down the road that it will be regarded both by legitimate people 
and by illicit criminals as so powerful an encrj^jtion device that 
they will purchase it, that it will be something that they will want 
to use. 

Senator Leahy. But if I was sitting up at my farm in Vermont 
and running an international heroin, gun smuggling, and counter- 
feit Ben and Jerry's organization, why wouldn't I just buy Pretty 
Good Privacy, PGP, and just do it all by computer and fax? I mean 
that seriously. Why wouldn't I just do that and say the heck with 
you, and I could run it on the Internet? 

Ms. Harris. Because right now, and I think for the foreseeable 
future, the Clipper Chip is such a more powerful encryption device 
that I would want, if I were you, to buy the best, and you, being 
quite confident that the Feds would never catch up with you, would 
want the best as well. 

Senator Leahy. But that is my point. Suppose I really am con- 
fident they are not going to catch me and I am really doing some- 
thing very serious. Say I am in a rural location in the United 
States and I am running an international drug ring, something 
where there is enormous amounts of money so I can do whatever 
I want and buy whatever I want. Why would I buy something with 
Clipper Chip in it that comes, in effect, with a sign on it saying 
the Federal Government holds the keys to decipher this? 

Ms. Harris. Let me again respond in two ways. First of all, you 
also will want to be making encrypted communications with legiti- 
mate organizations, with banks, with other legitimate organiza- 
tions, to send your messages, to move your illicit money out of the 
country, to do a number of things. If the Clipper Chip technology 
is purchased by legitimate people in this country because it is the 
best technology, then you — shall we change our analogy — ^then the 
criminal who is sitting up on a farm in Vermont is going to need 
to communicate with those devices that the legitimate 

Senator Leahy. If he wants to move money from the Chase Man- 
hattan Bank to the Zurich National Bank, what you are saying is 
there he would have to — ^because they were using Clipper Chip, he 
would have to use Clipper Chip? 

Ms. Harris. Let us go to III Wind. I mean, to the extent that we 
have a defense procurement fraud case and we have people trying 
to communicate with defense organizations and with legitimate 
companies, if you believe — that is, if the drug trafficker up in Ver- 
mont believes that the only way that he can interact with other 
independent entities with encryption devices is to also buy Clipper 
Chip, he is going to do it. 

I suppose the second part of the answer is that to the extent that 
this powerful encryption algorithm is one which manufacturers de- 
cide to market because it is the very best, then I suppose that the 
market for lesser devices is not going to be that great. It is not 
going to be cost effective to produce those kinds of encryption de- 

Senator Leahy. Of course, this also assumes that these legiti- 
mate commercial organizations outside the United States are going 
to want to use some kind of a standard for encryption that they 
know the United States hold the keys, as compared to trying to 
find some other standard created by some other country for which 
the United States would not hold the key. We would see people in 
this country buying the other country's technology. That is at least 
a possibility? 

Ms. Harris. Anything is possible. These are not easy issues, and 
I will absolutely say that. There is something, though, that I think 
needs be said perhaps not exactly in that context, but I think I 
need to underline time and again, from our perspective what we 
are talking about is already court-authorized interceptions of com- 
munications, and that all Clipper Chip does — after a court has al- 
ready authorized the interception of the communication, all that is 
happening here is that we are getting the ability to understand the 
content of those legitimately intercepted communications. 

Senator Leahy. Well, as I understand it, the escrow agents re- 
lease the keys when they get two faxes, one from the prosecutor 
saying a wiretap order exists, and one from the law enforcement 
agency requesting the keys for a particular chip LD. number for 
which they say they have a wiretap order. Now, the escrow agents 
themselves never see this court order, is that correct? 

Ms. Harris. It is correct that the escrow agents never see it 
themselves, and let me explain why. Certainly, they have to certify 
that there is a court order. Incidentally, the request — let us put it 
this way: If DEA has a court-authorized wiretap up intercepting 
the kinds of communications that I have already talked about that 
are important and very criminal in nature, and if they hit some 
white noise that sounds as if it is encrypted, law enforcement has 
a decrypt device through which it can run a tape or the realtime 
noise through and that little box will tell DEA that this is a Clip- 
per chip-encrypted conversation, and it will give DEA an encoded 
number coming off the chip. 

That DEA agent and his supervisors will then communicate to 
each of the independent escrow agents and certify that there is a 
court order already in place authorizing them to intercept this com- 
munication; that it is a key escrow-encrypted conversation; that 
here is the number of the chip. This is going to the independent 
escrow agents, and the court order will terminate — that is, our abil- 
ity to intercept will terminate at such-and-such a date. Please com- 


municate back to our decrypt device the two pieces of the key that 
will enable our decrypt device to decode the conversation so that 
we may get it in realtime. 

Senator Leahy. You could get it in realtime, then? 

Ms. Harris. We need it in realtime. 

Senator Leahy. Then how do those keys then get returned to the 
escrow agent? 

Ms. Harris. My understanding is that right now with the proto- 
type, we will have to manually destruct the keys that are in the 
encrypted box at the time that our authorization to intercept the 
communications ends pursuant to court order. As this develops, Mr. 
Chairman, and we are working through it right now, as I under- 
stand it, there will be a way that they will self-destruct at the par- 
ticular time at the end of the court-ordered interceptions. 

Senator Leahy. So nothing gets returned to the escrow agents? 

Ms. Harris. That is correct. Now, I should say that there are, 
as you know, in our procedures substantial auditing requirements, 
substantial recordkeeping requirements. I should have said as well 
that after the DEA agent makes his faxed request to both of the 
independent escrow agents and the process starts back in realtime, 
it is required that the Federal prosecutor in charge of this case con- 
tact the key escrow agents and confirm all of the certification that 
has been put forth by the agent. 

Senator Leahy. Now, this decryption device, the one that at least 
puts the first trigger up to say your white noise is a Clipper Chip, 
and number whatever 

Ms. Harris. That is right. 

Senator Leahy. Have those devices been made yet? 

Ms. Harris. There is one. 

Senator Leahy. I mean, how many of these are we going to have? 
Are you going to have to have them all over the country? 

Ms. Harris. Well, I think that we must — and we are very re- 
spectful of this — we must keep very, very careful control of the 
number of encryption devices. They are the kinds of items that I 
don't think anyone would want spread all over the country. 

Senator Leahy. Well, say, you have got a case in Tucson, AZ, and 
you have got one in Burlington, VT, and Abilene, KS. I mean, these 
are geographically kind of spread around. In each one of these 
areas, one might assume that law enforcement, at least for the ru- 
dimentary type of wiretaps, have equipment to do that, but one 
decrypt device might not do them any good. 

Ms. Harris. I mean, we are working through these issues right 
now and are very, very sensitive to the fact that we do not want 
proliferation of these decrypt devices. I believe that the technology 
is such, or at least we are working on it, where you could transmit 
the white noise to the box in a centrally located place and get the 

Senator Leahy. How big is this decryption device going to be? I 
assume it is something relatively small. 

Ms. Harris. It is not huge. When I said small box to my staff, 
they said, well, it is not small. 

Senator Leahy. Bigger than a bread box, smaller than a 

Ms. Harris. I think it is about the size of — I was just getting 
ready to say, and my able staff says, it is a PC. It is that size. 


Senator Leahy. Do you and the administration see any need for 
new legislation to implement your Clipper Chip proposal? 

Ms. Harris. The short answer is no. 

Senator Leahy. So you are ready to just go ahead, no matter 
what we might think here? 

Ms. ELarris. Well, we always very, very carefully consider what 
is said here. 

Senator Leahy, Yes, yes, yes. [Laughter.] 

Ms. Harris. But let me go further, Mr. Chairman. Again, if you 
look at it the way that I have described, what we are talking about 
is simply a more sophisticated way to understand more sophisti- 
cated coding of criminal conversations. 

Senator Leahy. Wearing my hat from another committee, there 
is one part, though, you may have some interest in talking to us 
about. How much is this thing going to cost? 

Ms. Harris. I think you know that to the extent that the Depart- 
ment has already invested in these devices for law enforcement 

Senator Leahy. No, but just running the escrow system is going 
to cost you millions of dollars a year, won't it? 

Ms. Harris. I don't have easy estimates on that, Mr. Chairman. 

Senator Leahy. Wearing the other hat from the Appropriations 
Committee, we may be looking at some legislation. Do you think 
that as part of the reporting requirements, the Justice Department 
should give Congress a full accounting of where these decrjrpt de- 
vices are? I mean, these things are set up so they can unlock a 
coded serial number. They can get direct transmission of the keys 
from the escrow agents. They can use the keys to decrypt clipper- 
encrypted conversations. Do you think there should be any report- 
ing requirement of where they are? 

Ms. Harris. Well, I mean certainly there should be a reporting 
requirement, and what we intend to do is two things, really. We 
intend to report to the Administrative Office of U.S. Courts where 
we already report all of our court-authorized wiretaps. We will cer- 
tainly report there that a wiretap was encrypted and decrypted 
with key escrow encryption. 

Also, my understanding is that to the extent that the intelligence 
committees are giving oversight that the information would be 
made available to them. We assume the Administrative Office of 
U.S. Courts is going to report to Congress, as it does every year. 

Senator Leahy. If you say there is no legislation required, I 
would assume that the Justice Department at least anticipates reg- 
ulations being promulgated? 

Ms. Harris. What we have done, and I will be happy to go 
through it in more detail, is we have promulgated internal regula- 
tions that are designed to assure that the integrity of this system 
will be protected. What it does is internally guide us in terms of 
the process by which our agents go to get the keys, certify the proc- 
ess by which the keys come back, the process by which we audit 
very carefully. We plan to audit every single encryption instance. 

Senator Leahy. Would the AG be able to change the set of es- 
crow agents after the initial selection? 

Ms. Harris. It is not 

Senator Leahy. Suppose you have got an escrow agent who says, 
wait a minute, I think this is wrong, I don't think that this key 


should be released. Could the Attorney General just say, well, then 
we are going to get a different escrow agent? 

Ms. Harris. Well, let me say a couple of things. One, we are still 
open and looking at the options with respect to escrow agents. But, 
two, it is really very important that there be some continuity once 
the escrow agents are in place. It is not contemplated that, with 
the appropriate certification, the escrow agent, other than looking 
at the certification and saying this is not enough, this is wrong — 
I don't think that you will find the Attorney General wanting to 
change escrow agents simply because one said no. 

Senator Leahy. Well, stranger things have happened. I worry 
about the security of the system. If I understand this correctly, 
every Clipper Chip has the same family key programmed into it. 
Law enforcement uses the family key to decode the intercepted se- 
rial number which the targeted chip sends out, I guess, at the be- 
ginning of every conversation. If they have that, they can get the 
government's duplicate set of decoding keys from the escrow agents 
following the normal procedure. 

If they have got the decrypt device, the initial step, at least, can 
be done by anybody who has got one of the devices. I mean, let us 
assume that it has happened on occasion that illegal wiretaps have 
been done even by law enforcement. If they have got the initial 
decrypt device, they can at least have the family key or the num- 

Now, they can't get the decoding keys unless the escrow agents 
give them to them. Of course, without drawing this out too far, 
somebody had to make the decoding keys for the escrow agents. 
Somewhere, they are out there — that is what I am getting to, or 
the potential is out there. 

Ms. Harris. But the potential is so minuscule. I mean, the pro- 
tections that are built into this system to give everyone the assur- 
ance that no single person can illicitly get into this system. I must 
say with respect to the family codes, even if you got that, because 
those are coded, you wouldn't be able to get the number to send 
off to the escrow agents, as I understand it. 

I mean, we are talking about independent escrow agents. We are 
talking about a requirement that a prosecutor go back to the es- 
crow agents and confirm all the certifications. I mean, we built it 
in both mechanically and humanly that there are checks and 
doublechecks and doublechecks. 

Senator Leahy. If you have the decrypt device, even if you don't 
know what I am saying, you at least know who I am because you 
know the unique I.D. number of the device I am calling from. 

Ms. Harris. I don't think I would know where you were calling 
from, even. I would know a number, period. I would not be able to 
track the number. 

Senator Leahy. We have several ongoing reviews; let me make 
sure I have got them right. We have got a White House interagency 
working group, the NIST, and the National Research Council of the 
National Academy of Sciences. You haven't fully implemented the 
key escrow system or the decrypt device, to see how this works. Are 
we moving ahead of ourselves in this? Having expressed the earlier 
concern about the Federal Government always trying to stay care- 


fully and traditionally behind the curve, are we getting a little bit 
ahead of the curve on this one? 

Ms. Haeris. Let me put it this way. The studies that you have 
alluded to, Mr. Chairman — the White House policy study is com- 
pleted, and although one continues to study these matters and will 
continue to study them for as long as they are important, that is 
completed. The NIST part of this, as I understand it, although it 
is probably better addressed to Mr. Kammer, is completed. I don't 
know about the last study that you have alluded to, but I think we 
are moving at the appropriate speed. And, ves, speaking of the 
technology, we are attempting to stay ahead of the curve. 

Senator Leahy. If we allow American companies to export Clip- 
per Chip to non-U.S. users, say a non-U.S. user in France, what 
happens when the French law enforcement or intelligence commu- 
nity calls up and says, "by the way, we are kind of worried about 
Harris Ltd. that has just set up in the Bordeaux region. We don't 
think they are just selling wine. Can we have the keys to tap in?" 

Ms. Harris. I think that we must very, very carefully control 
this technology and the ability to use it. As I say, we have tried 
to put in place procedures that will assure that. I think, with re- 
spect to foreign law enforcement requests, a couple of things. One, 
I think we have to take it on a case-by-case basis, and I think that 
even on a case-by-case basis I think we have to consider very care- 
fully keeping the technology and the hardware, for that matter, 
with us and just go ahead and do the translation for them; that is, 
give them the words, the decrypted words, but there is no reason 
for us to go beyond that. 

[The prepared statement of Jo Ann Harris follows:] 

Prepared Statement of Jo Ann Harris 

Mr. Chairman members of the Subcommittee, I am pleased to be able to appear 
before you today to talk about a matter vital both to the protection of privacy and 
to the preservation of public safety. 

As this Subcommittee understands quite well, many groups engaged in the most 
serious and violent criminal conduct — including drug traffickers, organized crime 
groups, and major street gangs — rely on electronic communications to conduct their 
iUicit activities. Without the continued ability to conduct lawfully authorized wire- 
taps, law enforcement at the Federal, State, and local level will be seriously ham- 
pered in its ability to protect society from the depredations of these criminals. 

Even though it is used sparingly, electronic surveillance has been crucial to effec- 
tive law enforcement. Evidence from electronic surveillance has resulted in the con- 
victions of more than 22,000 felons over the past decade. Indeed, without wiretaps, 
some extremely significant criminal activity could not be detected or properly inves- 
tigated — much less successfully prosecuted. Wiretaps are not a routine investigative 
technique and are only used when other techniques have proven, or are likely to 
be, unsuccessful — often because those other techniques pose too great a risk to po- 
hce or cooperating individuals. Wiretaps permit law enforcement authorities to pen- 
etrate closely controlled but highly sophisticated enterprises that might otherwise 
engage in wholesale criminal activity with impunity. Society cannot afford to lose 
the protection wiretaps afford it. 

At the same time, technology is making it increasingly possible for individuals 
and private enterprise to protect the confidentiality of personal and proprietary in- 
formation through the use of encryption — the electronic "scrambUng" of communica- 
tions. The market now offers high-quality voice encryption in an affordable, port- 
able, easy-to-use form. We anticipate that many legitimate users will acquire l5iese 
and similar devices to protect their confidential information; we worry, however, 
that such devices will also be used by criminal organizations to shield their illegal 

As you know, Mr. Chairman, last year the Clinton Administration sought to ad- 
dress both these important issues by announcing the availability of key-escrow 


encryption (sometimes referred to as the "Clipper Chip"). Key-escrow encryption has 
two fundamental features. First, it uses an extremely strong algorithm, one 16 mil- 
lion times stronger than the Data Encryption Standard — DES — and so strong that 
law enforcement can only decrypt it with a kev that is unique to each individual 
key-escrow encryption chip. Second, to assure the public of the privacy afforded by 
key-escrow encryption, that unique key is spUt into two components that are held 
by two independent entities serving as escrow agents. Those two entities may re- 
lease key components only to government agencies when needed for lawftdly author- 
ized interceptions. 

As the Administration has made clear on a number of occasions, the key-escrow 
encryption initiative is a voluntary one; we have absolutely no intention of mandat- 
ing private use of a particular kind of cryptography, nor of criminalizing the private 
use of certain kinds of cryptography. We are confident, however, of the quality and 
strength of key-escrow encryption as embodied in this chip, and we believe it will 
become increasingly attractive to the private sector as an excellent, easy-to-use 
method of protecting sensitive personal and business information. 

The Chnton Administration has been farsighted in seeing the advent of high-qual- 
ity, user-friendly encryption products and the implications of such products. It has 
also been prepared to act early, when markets are still developing and when both 
consumers and manufacturers are seeking strong, reliable cryptography for use in 
mass-market products. 

We believe, therefore, Mr. Chairman, that, as one major equipment manufacturer 
has already done, others will respond to their customers' needs for extremely strong 
encryption by marketing key escrow-equipped products. And as that occurs, we look 
for a gravitation of the market to key-escrow encryption, based on both a need for 
interoperability and a recognition of its inherent quality. Even many of those who 
may desire encryption to mask illicit activities will choose key-escrow encryption be- 
cause of its availability, its ease of use, and its interoperability with equipment used 
by legitimate enterprises. , -i 

Mr. Chairman, let me speak about the key-escrow system in a bit more detail, 
beginning with the selection of the t'wo entities that are serving as key escrow 
agents. In selecting escrow agents, we looked for a number of important qualifica- 
tions. Among other things, the candidates needed to: 

• Be experienced in handling sensitive materials; 

• Be familiar with communications and computer issues; 

• Be able to respond quickly, and around the clock, when government agencies 
need to have encryption keys issued to them; and 

• Be generally regarded by the public as both reliable and effective. 

Especially to get the system up and running, we believed it made sense to look 
to agencies of the Executive branch. In light of that consideration and the criteria 
I have just mentioned, the Commerce Department's National Institute of Standards 
and Technology (NIST) and the Treasury Department's Automated Systems Division 
appeared to be the two best candidates; and they have been so designated. 

NIST, as you are well aware, has long experience in matters relating to protection 
of sensitive, unclassified information and, indeed, has been pivotal in the develop- 
ment of the key-escrow encryption initiative. Treasury's Automated Systems Divi- 
sion—which is not part of any of the Treasury law enforcement agencies— is a 24- 
hour a day operation that is well experienced in handling matters of the utmost sen- 
sitivity. , , . 

As you know, on February 4, 1994, the Administration made a number ot an- 
nouncements regarding encryption policy generally, and key-escrow encryption spe- 
cifically. Among those announcements were the designation of the escrow agents 
and the publication of the procedures under which the escrow agents would be per- 
mitted to release key components: 

• To Federal law enforcement authorities for use in wiretaps under Title III of 
the Omnibus Crime Control and Safe Streets Act of 1968, as amended (Title 

III); \ 

• To State or local law enforcement authorities for use in wiretaps under state 
statutes; and 

• To Federal agencies for use in wiretaps under the Foreign Intelligence Surveil- 
lance Act (EISA). 

Let me describe for you the kinds of circumstances under which escrowed key 
components will be made available to government agencies when needed in conjunc- 
tion with lawfully authorized wiretaps. 


Mr. Chairman, as this Subcommittee well understands, Federal laws clearly lay 
out the circumstances in which wiretaps may be conducted, consistent with the Con- 
stitution. Wiretaps not lawfully authorized are criminal offenses — offenses that we 
take very seriously. Moreover, as the Subcommittee is aware. Federal law enforce- 
ment agencies may conduct wiretaps only for the most serious kinds of offenses and 
do so only after an extremely careful internal review of the need for, and the propri- 
ety of, a wiretap. That review process requires not only careful screening within the 
particular investigative agency — at both the local and headquarters level — but a 
thorough evaluation by a supervising prosecutor, usually an Assistant U.S. Attorney 
in the district in which the wiretap will be conducted. At each of those levels, there 
is a close review of the proposal to ensure that there is probable cause for the wire- 
tap, that the case justifies use of this important technique, and that alternative 
techniques are not satisfactory. Finally, no Federal Title III application may proceed 
without approval at a senior level within the Department of Justice. I would also 
note that no FISA application may proceed without the approval of the Attorney 

And, Mr. Chairman, that leads to the most important point which is that, whether 
for criminal or foreign intelligence purposes, the statutes require court authorization 
for wiretaps, even in the extremely rare cases in which they have begun under an 
emergency authorization. In a criminal case, the Government must show probable 
cause to believe that the telephone targeted is being used in furtherance of a specific 
serious Federal criminal offense. In a FISA case, the Government must show prob- 
able cause to believe that the target of the surveillance is a foreign power or an 
agent of a foreign power and that the facility or place, such as the telephone, is 
being used by a foreign power or agent of a foreign power. 

When we talk about access to escrowed components, therefore, we are talking 
about the ability of government agencies — Federal, State, or local — to decrypt com- 
munications when they are already lawfully authorized to intercept those commu- 
nications as part of a wiretap. We are not talking about any change in the protec- 
tion of the privacy of telecommunications. Nor are we talking about any additional 
authorization from the courts. The applicable statutes already permit government 
agencies that are authorized to conduct wiretaps to acquire the content of the inter- 
cepted communications and, if necessary, to translate or decode the communications 
as part of that process. 

Let us assume, then, that government agents — DEA, for the sake of argument — 
are conducting a court-ordered wiretap and encounter unintelligible communications 
they think may be key-escrow encryption. What do they do? First, they can run the 
communications — live or on tape — through a so-called decrypt processor. The 
decrypt processor — a specially programmed and equipped personal computer — can 
tell the agents whether key-escrow encryption is being used and, if so, the unique 
ID number of the particular chip. This last point is critical, of course, because each 
chip has its own truly unique key; without knowing the ID number of the chip, the 
law enforcement agency cannot determine which key components to request. 

Armed, however, with that information, they can submit a key component request 
to the two escrow agents, NIST and Treasury. In that request, they 11 be required, 
among other things, to: 

(1) Identify themselves and the agency the/re with; 

(2) Certify that they're conducting a lawful wiretap; 

(3) Specify the source of the wiretap authority and its termination date; 

(4) Provide the chip ID number. 

To provide greater reassurance, the certification by the DEA agents must be fol- 
lowed by a communication from a Federal government attorney associated with the 
matter, confirming that a wiretap has been lawfully authorized. 

When the escrow agents receive a properly submitted request, they transmit their 
respective key components to the requesting agency; the components are combined 
within the decrypt processor which, only then, is able to decrypt communications 
using the particiUar chip. At the end of the authorized wiretap period, the decrypt 
processor's abiUty to decrjrpt communications using that particular chip will likewise 
terminate, and the escrow agents are to be so informed. 

Those, in skeletal form, are the procedures for release of key components to Fed- 
eral law enforcement agencies for criminal wiretaps. Similar procedures will apply 
to the release of key components for use in wiretaps authorized under State stat- 
utes. The most notable difference is that, for release to State or local law enforce- 
ment agencies, the request must come from the principal prosecuting attorney of the 
State or political subdivision involved — normally, the State Attorney General or the 


District Attorney of the particular county. Finally, in the case of wiretaps under 
FISA, the request will be made by a Federal agency and will be subject to follow- 
up confirmation by the Department's Office of Intelligence Policy and Review. 

The Administration recognizes that public confidence in this system is of para- 
mount concern. The persons at NIST and Treasury who are responsible for the 
maintenance and, when appropriate, the release of key components are extremely 
serious about ensuring that tney release key components only under proper cir- 
cumstances. Meticulous procedures for the programming of the chips, and for the 
storage and handling of the keys, are being developed and refined. Even for tests 
of the system— decrypting communications over government-owned devices — there 
will be a fiill simulation of the request and release process. 

The transactions of the escrow agents will be logged and recorded electronically, 

Permitting subsequent review and audit. In addition, the Department of Justice will 
e responsible for ascertaining that the requesting agencies fullv comply with the 
procedures at the various stages of the process. We wiU also reflect, in the respec- 
tive reports to the Congress regarding wiretaps under Title III and FISA, those 
wiretaps in which key-escrow encrjrption was encountered and for which key compo- 
nents were released to a government agency. 

Mr. Chairman, we have worked to develop procedvtres that strike the right bal- 
ance between the rigorous protection of the privacy of communications and the need, 
in critical moments, to be able to decrypt such communications in order to protect 
lives and preserve the public safety. Through a combination of procedural require- 
ments, technical safeguards, and audit capabilities, we believe that these procedures 
will assure the integrity of the key-escrow encryption system without frustrating the 
ability of government agencies to understand encrypted communications in the 
course of lawful wiretaps. 

I have appreciated the opportunity to discuss with you this very important issue, 
and I shall be happy to try to answer any questions the Subcommittee may have. 

Senator Leahy. Thank you. I have a number of other questions 
for the record, but Senator Murray has joined us. She is proposing 
legislation on this, and before we go to Mr. Kammer, I didn't know, 
Senator, whether you had any questions you wanted to ask of Ms. 


Senator Murray. Well, thank you, Mr. Chairman. I will reserve 
my time to ask questions later. I do have an opening statement I 
will submit for the record. I very much appreciate your having this 
hearing and asking me to join you here today. This is an especially 
important topic in my State, where high technology is the key to 
our economic future and, really, the Clipper Chip proposal has had 
a chilling effect on a number of innovations that are coming along. 

I have a number of questions that the chairman has asked that 
I think have not been satisfactorily answered. I believe that tech- 
nology is going to be way ahead of where we are. I am very con- 
cerned that we are investing a great deal of time and energy and 
commitment into a Clipper Chip proposal, while our technology has 
moved way past that and it will be outdated within a very short 

So, I will pass on questions at this time and will be here to hear 
the rest of the testimony. Thank you. 

Senator LEAHY. Thank you. 

[The prepared statement of Senator Patty Murray follows:] 

Prepared Statement of Senator Patty Murray 

Chairman Leahy, I appreciate the invitation to join you today for this important 

Over the last decade, high technology and software manufactvu*ing have become 
a strong force in Washington state's economy. Growth in this sector has helped off- 


set job losses in aircraft manufacturing. Exports are an increasingly critical part of 
our software production, helping to cushion downturns in our domestic economy. 

That is why the Administration's Clipper Chip proposal has had a chiUing effect 
on software manufacturers in my state. For years, companies like Microsoft have 
struggled with burdensome, expensive and often anti-competitive U.S. export con- 
trols on encrypted software. Now, the Federal Government wants to dictate to com- 
panies what they can sell here at home, too. 

High technology is key to our economic future. Cold War export controls are a 
thing of the past. 

I have heard the arguments on all sides. On a laptop in my office in the Hart 
building, I have had DES encrypted software downloaded from Austria on the 
Internet. In January of this year, the Software PubUshers Association found 210 for- 
eign encryption products from 21 countries of which 129 use the Data Encrjrption 

When I go with my teenagers to Egg head Software I read the "For Sale Only 
in the U.S. ' on Windows programs anyone can buy and pack in a suitcase. We can- 
not keep the genie in the bottle. The genie left a good long while ago, and Federal 
efforts to put the genie back in the bottle will be futile. 

As the Acting Undersecretary of Commerce wrote to Banking Committee Chair- 
man Riegle a few weeks ago: "At a time when product life cycles for high tech items 
last no longer than one or two years, the existing statute (the Export Administration 
Act) inhibits the long term market potential for U.S. industry." That is why I beUeve 
legislation I introduced with Senator Bennett in February, S. 1846, is the correct 
way to go on the export problem. My biU would retain controls on exports of gen- 
erally available encrypted software for inteUigence or mihtary use, but not for com- 
mercial use. 

I look forward to today's testimony. 

Senator Leahy. Mr. Kammer, it is all yours. Gro ahead, and then 
we will go back to further questions. 


Mr. Kammer. Perhaps I could make three points and then go to 
the demonstration. First of all, the escrowed encryption standard 
is voluntary. It is not mandatory. It is voluntary for use both by 
government and by the private sector. Secondly — this is for the 
record because of some public discussion of this — there is no trap 
door in the escrow encryption standard. And then the third point 
is the U.S. Government needs encryption for civil privacy applica- 
tion — census data, the IRS, and the like. 

Because the U.S. Government will ultimately buy a lot of what- 
ever it selects, the price will presumably go down. Also, because 
people will have reasons to have conversations with the govern- 
ment perhaps in an encrypted environment, that will tend also to 
influence the marketplace. It seems to me that it is important that 
the government, to the extent it is influencing the marketplace, in- 
fluence the marketplace in a way that does not harm law enforce- 
ment, and this standard does that. 

Those are my three points. If you would like, I will go to a dem- 

Senator Leahy. Would you, please? 

Mr. Kammer. Sure. This is the TSD 3600 you have, Mr. Chair- 
man, by you, and what I intend to do is phone you from here and 
then engage the TSD 3600, which has in it a Clipper Chip. What 
will happen is there will be an initial sort of negotiation between 
this device and the device there that will take about four seconds, 
and they are negotiating what is called a session key, which is a 
unique key that will engage the algorithm in the chip for our con- 
versation, after which we will be able to have a conversation. 


In addition, I have brought a tape recording of what people 
would hear if they intercepted because there wasn't any convenient 
way to set it up here. 

Senator Leahy. Sure. 

Mr. Kammer. So, with that, I will dial in. 

Senator Leahy. My God, it worked. I take back everjrthing I said. 

Mr. Kammer. We are now engaged in a normal encrypted con- 

Senator Leahy. I can hear it. 

Mr. Kammer. I will now engage the encrjrption. All you need to 
do is watch. At this point, the two devices are negotiating a session 
key. As I said before, it takes about four seconds. There is now 
emerged a session number which should be the same number for 
each of us, sir, which is FB 57. 

Senator Leahy. Interestingly enough, there is a slight delay, a 
fraction of a second delay, of the voices going back and forth. The 
only way I am aware of that is I can hear you in one ear, your ac- 
tual voice, and hear you in here. But, obviously, it is being slowed 
down by about a quarter of a second. 

Mr. Kammer. Yes, sir. The quality of the voice, however — if we 
v/eren't in the same place, it would be a little less irritating. You 
can perceive the lag even if we were in remote locations, but the 
quality of the voice is actually quite good, in my opinion. 

Senator Leahy. Yes, it is very good, not like the old-fashioned 
scrambled phones. 

Mr. Kammer. With that, I have cleare4 and if you hit "clear" on 
your end, then we can just hang up. If there were now some person 
who was intercepting that conversation, or some other, it would 
sound as this will once I get it going. 

[There follows a transcription of an audio tape:] 

This recording is designed to demonstrate the ability of the TSD 3600, equipped 
with Clipper technology, to secure voice communications. I have been talking over 
a telephone with a TSD 3600 in the clear mode. I will now initiate the secure mode. 

Senator Leahy. That was the identifying number. 

Mr. Kammer. That is right. That was the preamble where they 
were negotiating a session key, and then that static sound is the 
white noise that people would hear. 

Senator LEAHY. Now, has the Department of Justice bought 

Mr. Kammer. They have purchased 9,000 devices at this point. 

Senator Leahy. Is that going to replace the old STU phones? 

Mr. Kammer. The application that this is cleared for at this time 
is for civil data, not classified data. The STU's, as you know, are 
for classified data. 

Senator Leahy. Has anybody outside the government bought any 
of these devices with the Clipper Chip in it? 

Mr. Kammer. At this point, they are just coming on the market 
and if there are any deployed, it would be a negligible number at 
this point. 

Senator Leahy. And if I had this on my phone and you did not 
have it on yours, I can still call you just in the clear? 

Mr. Kammer. No problem; normal communications. 


Senator Leahy. But if I hit my red button, you are going to hear 
a beep and a clunk? 

Mr. Kammer. Well, it won't find anybody to negotiate with, so it 
will just sort of sit there and dither. [Laughter.] 

Senator Leahy. Heck, I am used to that. [Laughter.] 

[The prepared statement of Raymond G. Kammer follows:] 

Prepared Statement of Raymond G. Kammer 


Good morning. My name is Raymond G. Kammer, Deputy Director of the Com- 
merce Department's National Institute of Standards and Technology (NIST). Thank 
you for inviting me here today to testify on the Administration's key escrow 
encirption initiative. The Computer Security Act of 1987 assigns NIST responsibil- 
ity for the development of standards for protecting unclassined government com- 
puter systems, except those commonly known as "Warner Amendment systems" (as 
defined in Title 10 U.S.C. 2315). 

In response to the topics in which the Committee expressed an interest, I would 
like to focus my remarks on the following: 

(1) The principal encryption policy issue confronting us, 

(2) The importance of encrjrption technology, 

(3) How voluntary key escrow encryption technically works and how it en- 
sures privacy and confidentiality, 

(4) Alternatives to the voluntary key escrow initiative, 

(5) Critical components of the Administration's policy on encryption tech- 

(6) Recent initiative to modify Secure Hash Standard, and 

(7) The effectiveness of the Computer Security Act of 1987. 


First, I would like to broadly outUne an important public poUcy and societal issue 
confronting us today regarding unclassified government and commercial cryptog- 
raphy. In developing cryptographic standards, one can not avoid two often compet- 
ing interests. On the one hand are the needs of users — corporate, government, and 
individual — in protecting telecommunications transmissions of sensitive information. 
Cryptography can be used for excellent information protection. On the other hand 
are the interests of the national security and law enforcement communities in being 
able to monitor electronic communications. In particvilar, I am focusing upon their 
need for continued abiUty to keep our society safe from crime and our nation secure. 

Rapid advances in digital telecommunications have brought this issue to a head. 
Some experts have stated that, within ten years, most digital telecommunications 
will be encrypted. Unless we address this issue expeditiously, law enforcement will 
lose an important tool in fighting crime — the abih^ to wiretap — and the mission of 
our Intelhgence Community will oe made more difficult. The Committee is undoubt- 
edly aware of the benefits such intelhgence brings to the nation. This matter raises 
broad societal issues of significant importance. I have personally been involved in 
many meetings of a philosophical and wide-ranging nature to discuss this dilemma. 

Four broad conceptual alternatives emerged: 

• Seek a legislative mandate criminaUzing the use of unauthorized cryptography. 

• Seek wide adoption of an encryption method with an unannounced "trap door." 
This was never seriously considered. 

• Seek wide voluntary adoption of a technology incorporating a secure "key es- 
crow" scheme. 

• Allow technology to evolve without government intervention; in effect, do noth- 

None of these options satisfies all interested parties fully. I doubt such a solution 
even exists, but the Admiinistration has chosen the voluntary key escrow technology 
approach as the most desirable alternative for protecting voice communications 
without impairing the ability of law enforcement agencies to continue to conduct 
wiretaps. For data communication the long-standing Data Encryption Standard has 
recently been recertified for use. 


It is interesting to note that other countries have faced this same issue and cho- 
sen different solutions. France, for example, outlaws the use of unregistered cryp- 
tographic devices within its borders. 


Encryption provides one of the best ways to guarantee information integrity and 
obtain cost-effective information confidentiality. Encryption transforms intelligible 
information into an unintelligible form. This is accompUshed by using a mathemati- 
cal algorithm and a "key" (or keys) to manipulate the data in a complex manner. 
The resulting enciphered data can then be transmitted without fear of disclosure, 
provided, of course, that the implementation is seciu-e and the mathematical-based 
algorithrn is sound. The original information can then be understood through a 
decryption process. As I shall discuss, knowledge of the particular key utilized for 
a particular encryption of information (or, in the case of asymmetric cryptography, 
knowledge of the associated key of the key pair) allows decryption of the informa- 
tion. For this reason, such keys are highly protected. 

Uses of cryptography 

Encryption can be used in many applications for assuring integrity and confiden- 
tiality, or both. It can be used to protect the integrity and/or confidentiality of phone 
calls, computer files, electronic mall, electronic medical records, tax records, cor- 
porate proprietary data, credit records, fax transmissions and many other types of 
electronic information. It is expected that cryptographic technologies will be used on 
a voluntary basis in the protection of information and services provided via the Na- 
tional Information Infrastructure. 

Encryption used with these and other types of information protects the individual 
privacy of our citizens including, for example, their records and transactions with 
government agencies and financial institutions. Private sector organizations can also 
benefit from encryption by securing their product development and marketing plans, 
for example. It also can protect against industrial espionage by making computers 
more secure against unauthorized break-ins and, if data is encrypted, making it use- 
less for those without the necessary key. 

The government has long used cryptography for the protection of its information — 
from that involving highly classified defense and foreign relations activities to un- 
classified records, such as those protected under the Privacy Act. My point here is 
not to list all potential applications and benefits but to give you a feel for the innu- 
merable applications and benefits which encryption, when securely implemented, 
can provide. 

Hazards of cryptography 

Counterbalanced against its benefits, encryption also can present many substan- 
tial drawbacks — to both the government and other users. First and foremost, 
encryption can frustrate legally authorized criminal investigations by the federal, 
state, and local law enforcement agencies. As their representatives can better ex- 
plain, lawful electronic surveillance has proven to be of the utmost benefit in both 
investigating and prosecuting serious criminal activity, including violent crime. 
CryptograpWc technologies can also seriously harm our national security and intel- 
ligence capabihties. As I shall discuss, the Administration recognizes that the con- 
sequences of wide-spread, high quality encryption upon law enforcement and na- 
tional security are considerable. 

Encryption may also prove a potential hazard to other users, such as private sec- 
tor firms, particularly as we move into the Information Age. Private firms, too, are 
concerned about the misuses of cryptography by their employees. For example, a 
rogue employee may encrypt files and offer the "key" for ransom. This is often re- 
ferred to as the "data hostage" issue. Keys can also be lost or forgotten, resvdting 
in the unavailability of data. Additionally, users of encryption may gain a false 
sense of security by using poorly designed or implemented encryption. To protect 
against such hazards, some corporations have expressed interest, in a "corporate" 
key escrowing capability to minimize harm to their organizations from internal mis- 
use of cr3T)tography. As security experts point out, such a false sense of security can 
be worse than if no secvuity measures were taken at all. Encryption is not a "ciu-e- 
all" to all security problems. 

Let me now turn to the details of the Administration's key escrow encryption ini- 



Goals of the voluntary key escrow encryption initiative 

I will begin my remarks about the government-developed key escrow encryption 
chips (referred to as "chips" herein) by discussing the goals that we were trying to 
achieve in developing this technology for application to voice-grade communication. 

At the outset, we sought to develop a technology which provides very strong pro- 
tection for government information requiring confidentiality protection. Much of the 
sensitive information which the government holds, processes, and transmits is per- 
sonal and requires strong protection. Tax records and census data are two such ex- 
amples. We sought nothing less than excellent protection for government commu- 
nications. In order to allow agencies to easily take advantage of this technology, its 
voluntary use (in Federal Information Processing Standards (FIPS) 185) to protect 
telephone communications has been approved by the Secretary of Commerce. 

The chips implementing FIPS 185 efficiently support applications within its scope. 
They far exceed the speed requirements of commercial modems existing today or en- 
visioned for the near future. 

In addition to the need for strong information protection, the increasingly 
digitized nature of advanced telecommunications is expected to significantly hamper 
the ability of domestic law enforcement to carry out lawfully authorized wire- 
tapping. Their problem has two dimensions. 

First, the design and complexity of the nation's telecommunications networks 
makes locating those communications which can be lawfully tapped very difficult. 
This is the digital telephony issue, which my law enforcement colleague will discuss 

Second, the proliferation of encryption is expected to make law enforcement's 
tasks more difficult. If a telephone conversation is encrj^jted, resources must be ex- 
pended for decryption, where feasible. Such expenditures and technical capabilities 
are normally far outside the ability of local law enforcement organizations and could 
be quite significant at the federal level. In seeking to make available a strong 
encryption technology, we have sought to take into account the needs of the law en- 
forcement community. For example, one of the reasons that the SKIPJACK algo- 
rithm, the formula on which the key escrow chip is based, is being kept classified 
is that its release would make their job much harder were it to be used to hide 
criminal activity. 

Misconceptions concerning the purpose of the voluntary key escrow encryption initia- 

A number of those opposed to this Administration initiative have expressed doubt 
about whether the key escrow encryption initiative can do anything to solve this na- 
tion's crime problem. Of course, this initiative cannot by itself do so. The basic in- 
tent of the program is the provision of sound security, without adversely affecting 
other government interests, including, when necessary, the protection of society 
through lawfully authorized electronic surveillance. 

The voluntary key escrow encryption initiative, first and foremost, was devised to 
provide solid, first-rate cryptographic security for the protection of information held 
by the government when government agencies decide such protection is needed for 
unclassified government communications — for example, tax, social security and pro- 
prietary information (The Escrowed Encryption Standard (FIPS 185) allows federal 
agencies to use this technology for protection of telephone communications.) This 
was done, in part, with the realization that the current government cryptographic 
technique, the Data Encryption Standard (which was recently re-approved) is over 
fifteen years old; while DES is still sound, its usefiilness will not continue indefi- 
nitely. We also recognized that were we to disclose an even stronger algorithm (with 
the government's "seal of approval"), it could be misused to hamper lav^ul investiga- 
tions, particularly electronic surveillance. 

In approving this initiative, we felt it important that protective measures be 
taken to prevent its misuse — a safety catch, if you will. This wiU help assure that 
this powerful technology is not misused if adopted and used voluntarily by others. 
Our method of providing this safety mechanism relies upon escrowing cryptographic 
key components so that, if the technology is misused, lawful investigations will not 
be thwarted. Additionally, the algorithm (SKIPJACK) will remain classified so that 
its only uses will be consistent with our safety mechanism, key escrowing. I think 
it is fair to say that use of this powerful algorithm without key escrowing could pose 
a serious threat to our public safety and our national security. 


Key escrow encryption technology 

The National Security Agency, in consviltation with NIST and the federal law en- 
forcement community, undertook to apply voluntary key escrow encryption tech- 
nology to voice-grade communications. The product of this effort was announced in 
the April 16, 1993 White House release concerning the key escrow encryption chip. 
I note that we have chosen to discontinue use of the term "Clipper Chip" to avoid 
potential confusion with products and services with similar names. 

The state-of-the-art microcircuit, the key escrow encryption chip, can be used in 
new, relatively inexpensive encrjrption devices that can be attached to an ordinary 
telephone. It scrambles telephone communications using an encryption algorithm 
more powerftil than many in commercial use today. The SKIPJACK algorithm, with 
an 8-bit long cryptographic key, is approximately 16 million times stronger than 
DES. For the record, I will restate my earlier public statements that there is no 
trapdoor in the algorithm. 

Each key escrow encryption chip has two basic functions. The first is an 
encryption function, which is accomplished by the SKIPJACK algorithm, developed 
and rigorously tested by NSA. The second function is a law enforcement access 
method. I will discuss each briefly. 

The SKIPJACK algorithm is a symmetric algorithm (as opposed to "pubUc-key" 
algorithms). Basically, this means that the same cryptographic key (the session key) 
is used for both encryption and decryption. The algorithm is so strong that the De- 
partment of Defense will evaluate it for use in protecting selected classified appUca- 

The second basic function of the chip is the provision for law enforcement access 
under lawful authorization. To do so, each chip is programmed with three values: 
a cryptographic family key, a device unique key, and a serial number. (The device 
unique key is split into two key components which are then encrypted and are pro- 
vided to the two current escrow agents, NIST and the Automated Systems Division 
of the Department of the Treasury, for secure storage.) These three values are used 
in conjunction with the session key (which itself encrypts the message) in the cre- 
ation of the law enforcement access field. When law enforcement has obtained law- 
ful authorization for electronic surveillance, the serial number can be obtained elec- 
tronically. Law enforcement can then take the serial number and a certification of 
their legal authorization to the two escrow agents. (Detailed procedvires for the re- 
lease of these key components were issued by the Department of Justice in early 
February.) After these certifications are received, the encrypted components will be 
transmitted by escrow agent officials for combination in the decrypt-processor. 

After decryption of the key components within the decrypt processor, the two key 
components are then mathematically combined, yielding the device unique key. This 
key is used to obtain another key, the session key, which is used to decrypt and 
understand the message. This device unique key mav be used by law enforcement 
only for the decryption of communications obtained during the applicable period of 
time of the lawftil electronic surveillance authorization. It can also only be used to 
decrypt communications transmitted or received by the device in question. 

Security and privacy using key escrow encryption 

When the Administration announced the voluntary key escrow encryption initia- 
tive, we anticipated that questions would be raised about the strength and integrity 
of the SKIPJACK algorithm, which is at the heart of the system. We assured the 
public that we knew of no weakness in the algorithm and that there was not an 
undisclosed point of entry, commonly referred to as a trapdoor. The algorithm was 
designed by cryptographic experts at the National Security Agency and withstood 
a rigorous testing and analysis process. 

As a further way to indicate the fundamental strength of SKIPJACK, we invited 
a group of independent experts in cryptography to review the algorithm, under ap- 
propriate security conditions, and make their results publicly known, again, consist- 
ent with the classified nature of the algorithm. This group consisted of Ernest 
Brickell (Sandia National laboratories), Dorothy Denning (Georgetown University), 
Stephen Kent (BEN Communications Corp.), David Maher (AT&T) and Walter 
Tuchman (Amperif Corp.). These experts reported that: 

• Under an assumption that the cost of processing power is halved every eighteen 
months, it will be 36 years before the cost of breaking SKIPJACK by exhaustive 
search will be equal to the cost of breaking DES today; 


• There is no significant risk that SKIPJACK can be broken through a shortcut 
method of attack. 


Let me also repeat the reasons why the algorithm must remain classified. First, 
we believe it woxild be irresponsible to publish the technical details. This would be 
tantamount to handing over this strong algorithm to those who may use it to hide 
criminal activity. Pubfishing the algorithm may also reveal some of the classified 
design techniques that NSA uses to design military-strength technology. It would 
also allow devices to be built without the key escrowing feature, again allowing 
criminals to take advantage of the strength of this very powerfial technology without 
any safeguard for society. 

With regard to privacy, key escrow encryption can, of course, be used to protect 
personal information contained in telephone communications. Moreover, the vol- 
untary key escrow encryption initiative does not ejcpand the government's authority 
for the conduct of electronic surveillance, as my colleague from the Federal Bureau 
of Investigation will discuss. It is important to understand that the escrow agents 
will not track the devices by individual owners; they will simply maintain a 
database of chip ID numbers and associated chip unique key components (which 
themselves are encrypted). 


In reaction to industry's concerns about ovir hardware-only implementation of key 
escrow encryption, we announced an opportunity for industry to work with us on 
developing secure software-based key escrow encryption. Unfortunately, initial in- 
dustry interest was minimal; our offer, however, remains open. We are also willing 
to work on hardware alternatives to key escrowing as we emphasized in our recent 

The Administration has been seeking to meet with members of the computer, soft- 
ware, and telecommunications industries to discuss the importance of this matter. 
We are open to other approaches. 


Encryption is an important tool to protect privacy and confidentiality 

As I discussed earlier, encryption is powerful technology that can protect the con- 
fidentiality of data and the privacy of individuals. The government will continue to 
rely on this technology to protect its secrets as well as tne personal and proprietary 
data it maintains. Use of encryption by federal agencies is encouraged when it cost- 
effectively meets their security requirements. 

No legislation restricting domestic use of cryptography 

Early in the policy review process, we stated that the Administration would not 
be seeking legislation to restrict the use, manufacture, or sale of encryption products 
in the U.S. This was a fear that was expressed in the pubUc comments we received, 
and one that continues, despite our repeated assertions to the contrary. Let me be 
clear — this Administration does not seek legislation to prohibit or in any way re- 
strict the domestic use of cryptography. 

Export controls on encryption are necessary but administrative procedures can be 

Encryption use worldwide affects our national security. While this matter cannot 
be discussed in deteiil publicly without harm to this nation's intelligence sources and 
methods, I can point to the Vice President's public statement that encryption has 
"huge strategic value." The Vice President's description of the critical importance of 
encryption is important to bear in mind as we discuss these issues today. 

In recent months, the Administration has dramatically relaxed export controls on 
computer and telecommunications equipment. However, we have retained export 
controls on encryption technology, in both hardware and sofl;ware. These controls 
strongly promote our national security. These export controls include mass market 
software implementing the Data Encryption Standard. The Administration deter- 
mined, however, that there are a number of reforms the government can implement 
to reduce the burden of these controls on U.S. industry. 

These reforms are part of the Administration's goal to eliminate unnecessary con- 
trols and ensure efficient implementation of those controls that must remain. For 
example, fewer licenses will be required by exporters since manufacturers will be 
able to ship their approved products from the U.S. directly to customers within ap- 
proved regions without obtaining individual Ucenses for each end user. Additionally, 
the State Department has set a license review turnaround goal of two working days 
for most applications. Moreover, the State Department will no longer require that 
U.S. citizens obtain an export license prior to taking encryption products out of the 
U.S. temporarily for their own personal use. Lastly, after a one-time initial technical 


review, key escrow encryption products may now be exported to most end users. 
These reforms shoxild help to minimize the effect of export controls on U.S. industry. 

The government requires a mechanism to deal with continuing encryption policy is- 

In recognition of this, the Interagency Working Group on Encryption and Tele- 
communications was formed in recognition of the possibility that the economic sig- 
nificance of our current encryption policy could change. The Working Group has 
been assigned to monitor changes in the balance that the President has struck with 
these pohcy decisions and to recommend changes in policy as circumstances war- 
rant. The Working Group will work with industry on technologies like the key es- 
crow encryption chip and^in the development and evaluation of possible alternatives 
to the chip. 

The group is co-chaired by the White House Office of Science and Technology Pol- 
icy and the National Security Council. It includes representatives from all depart- 
ments and agencies which participated in the policy review and others as appro- 
priate, and keeps the Information Policy Committee of the Information Infi-astruc- 
ture Task Force apprised of its activities. 

Flexibility on encryption approaches 

From the time of the initial White House announcement of this technology, we 
have stated that this key escrow encryption technology provides: 

(1) Exceptionally strong protection and 

(2) A feature to protect society against those that would seek to misuse 

I have personally expressed our flexibility in seeking solutions to these difficult 
issues. We have offered to work with industry in developing alternative soft\vare 
and hardware approaches to key escrowing. We actively seek additional solutions 
to these difficult problems. 

We also stand willing to assist the Congressionally-directed study of these issues 
by the National Research Council. 

Use ofEES is voluntary and limited to telephone systems 

The Escrowed Encryption Standard, which was approved on February 3, 1994, is 
a voluntary standard for use both within and outside of the federal government. It 
is appUcable for protecting telephone communications, including voice, fax and 
modem. No decisions have been made about applying key escrow encryption tech- 
nology to computer-to-computer communications (e.g., e-mail) for the federal -govern- 
Government standards should not harm law enforcement / national security 

This is fairly straightforward, but can be difficult to achieve. In setting standards, 
the interests of all the components of the government should be taken into account. 
In the case of encryption, this means not only the user community, but also the law 
enforcement and national security communities, particularly since standards setting 
activities can have long-term impacts (which, unfortunately, can sometimes be hard 
to forecast). 


As the Committee may be aware, NIST has recently initiated the process to issue 
a technical modification to Federal Information Processing Standard 180, the Secure 
Hash Standard. The Secure Hash Standard uses a cryptographic-type algorithm to 
produce a short hash value (also known as a "representation ' or ' message digest") 
of a longer message or file. This hash value is calculated such that any change to 
the file or message being hashed, will, to a very high degree of probability, change 
the hash value. This standard can be used alone to protect the integrity of data files 
against inadvertent modification. When used in conjunction with a digital signature, 
it can be used to detect any unauthorized modification to data. 

Our intent to modify the standard was announced by NIST after the National Se- 
curity Agency informed me that their mathematicians had discovered a previously 
unknown weakness in the algorithm. This meant that the standard, while still very 
strong, was not as robust as we had originally intended. This correction will return 
the standard to its intended level of strength. 

I think this announcement illustrates two usefiil issues with regard to cryp- 
tographic-based standards. First, developing sound cryptographic technology is very 
difficult. This is also seen with commercial algorithms, including those used for 
hashing and encryption. Secondly, this incident demonstrates the commitment of 


NIST, with NSA's technical assistance, to promulgating sound seoirity standards. 
In this case, a weakness was found, and is being quickly corrected. 


Lastly, as requested in your invitation to appear here today, let me briefly address 
the effectiveness of the Computer Security Act of 1987 (P.L. 100-235). I will first 
briefly comment on what we learned about the state of computer security in the fed- 
eral government during our agency visit process and then tvun to cryptographic-spe- 
cific issues. 

As part of our efforts to increase awareness of the need for computer security, 
during 1991-1992, officials from 0MB, NIST and NSA visited 28 federal depart- 
ments and agencies. Each visit was designed to increase senior managers' aware- 
ness of security issues and to motivate them to improve security. I believe that what 
we learned during those visits remains valid — and indicates that we still need to 
focus on basic computer security issues in the government. 

Specifically, OMB, NIST and, NSA proposed the following steps to improve secu- 

• Focus management attention on computer security. 

• Improve planning for security. 

• Update security awareness and training programs. 

• Improve contingency planning and incident response capabilities. 

• Improve communication of useful security techniques. 

• Assess security vulnerabilities in emerging information technologies. 

Actions are being taken by NIST and other agencies to address each of these 
areas. The background and discussion of the need for these measures is discussed 
in the summary report prepared by OMB on "Observations of Agency Computer Se- 
curity Practices and Implementation of OMB Bulletin No. 90-08" (February 1993). 
In short, the Computer Security Act provides an appropriate framework for agen- 
cies — to continue improving the security of their automated systems — but much 
work remains to be done, by NIST and individual federsd agencies. 

One of the questions that the Committee was interested in was whether there is 
a need to modify this legislation in response to the same advancements in tech- 
nology that led to the key escrow initiative and digital telephony proposal. First, I 
would observe that the Act, as a broad framework, is not tied to a specific tech- 
nology. I think it would be unworkable if the Act were to address specinc computer 
technologies, since this is a rapidly evolving field. Also, I would note that the Act 
does not address digital telephony concerns — the Administration is proposing sepa- 
rate legislation in that area. In short, no modifications to the Act are necessary be- 
cause of technology advances. 

Before leaving tiie subject of the Computer Security Act, however, let me briefly 
comment on the Escrowed Encryption Standard. I strongly believe that NIST and 
NSA have complied with the spirit and intent of the Act. At the same time, this 
issue underscores the complex issues which arise in the course of developing com- 
puter security standards, particularly cryptographic-based standards for unclassified 

The Act, as you are aware, authorizes NIST to draw upon computer security 
guidelines developed by NSA to the extent that NIST determines they are consistent 
with the requirements for protecting sensitive information in federal computer sys- 
tems. In the area of cryptography, we believe that federed agencies have valid re- 
quirements for access to strong encryption (and other cryptographic-related stand- 
ards) for the protection of their information. We were also aware of other require- 
ments of the law enforcement and national security community. Since NSA is con- 
sidered to have the world's foremost cryptographic capabilities, it only makes sense 
(from both a technological and economic point of view) to draw upon their guidelines 
and skills as useful inputs to the development of standards. The use of NSA-de- 
signed and -tested algorithms is fully consistent with the Act. We also work jointly 
with NSA in many other areas, including the development of criteria for the security 
evaluation of computer systems. They have had more experience than anyone else 
in such evaluations. As in the case of cryptography, this is an area in which NIST 
can benefit from NSA's expertise. 


Key escrow encryption can help protect proprietary information, protect the pri- 
vacy of personal phone conversations and prevent unauthorized release of data 
transmitted telephonicaUy. Key escrow encryption is available as a valuable tool for 


protecting federal agencies' critical information communicated by telephone. At the 
same time, this technology preserves the ability of federal, state and local law en- 
forcement agencies to intercept lawfully the phone conversations of criminals. 

Encryption technology will play an increasingly important security role in future 
computer applications. Its use for security must be balanced with tne need to pro- 
tect all Americans from those who break the law. 

Thank you, Mr. Chairman. I would be pleased to answer your questions. 

Rajmiond G. Kammer is the Deputy Director of NIST. He is responsible for the 
day to day operation of the Institute as well as long-range planning and policy de- 
velopment. NIST is the only Federal laboratory exphcitly charged with providing 
technical research and services to enhance U.S. industrial competitiveness. NIST 
provides support for industry's development of precompetitive generic technologies 
and diffusing technological advances to users in all segments of the economy. In ad- 
dition, NIST provides the measurements, calibrations, and quality assurance tech- 
niques which underpin U.S. commerce, technological progress, improved product re- 
liability and manufacturing processes, and public safety. NIST carries out many of 
these efforts in partnership with industry and government. 

A graduate ot the University of Maryland, Kammer joined NIST in 1969 as a pro- 
gram analyst. Over the following decade he served the agency and the U.S. Depart- 
ment of Commerce in a succession of offices concerned with budgetary and program 
analysis; planning; and personnel management. In 1980, Mr. Kammer was ap- 
pointed Deputy Director of NIST. He also has served as Acting Director of NIST, 
Acting Director of the National Measurement Laboratory, and Acting Director of the 
Advanced Technology Program. 

In 1991, Kammer was named the Deputy Under Secretary for Oceans and Atmos- 

Rhere, NOAA, Department of Commerce. While in that position, he served as 
rOAA's Chief Operating Officer and was responsible for overseeing the day-to-day 
operation of NOAA's five major line offices. In 1993, Kammer returned to NIST as 
Deputy Director. 

In addition, Kammer has chaired several important evaluation committees for the 
Department of Commerce, including reviews of satellite systems for weather mon- 
itoring and the U.S. LANDSAT program, and the next generation of weather radars 
used by the U.S. government. He also served a three-year term on the Board of Di- 
rectors of ASTM, a major international government for the development of voluntary 
standards for materials, products, systems, and services. 

His awards include both the Gold and Silver medals of the Department of Com- 
merce, the William A. Jump Award for Exceptional Achievement in Public Adminis- 
tration, the Federal Government Meritorious Executive Award, and the Roger W. 
Jones Award for Executive Leadership. 

Senator Leahy. You are working with industry, as I understand 
it, to improve on the key escrow chips, to develop key escrow soft- 
ware, and to examine alternatives to Clipper Chip. What are the 
improvements a^nd alternatives to Clipper Chip that NIST is con- 
sidering, or have I overstated the situation? 

Mr. Kammer. We are in active collaboration with four private 
sector entities that responded to a public advertisement that we 
made, and the intent was to have discussions both on hardware im- 
provements and software. In the case of the hardware improve- 
ments, what people are interested in is can the algorithm be incor- 
porated on some other chip that is already in a communications de- 
vice, for instance, thereby reducing the power requirements. 

The full name of the game in communications is you want to be 
portable, you want to be light, you want to take no power at all, 
ideally, or very little power. To incorporate the clipper hardware on 
a portable telephone, for instance, it uses enough power now to be 
irritating to the manufacturers. They don't think it is very attrac- 
tive until we can reduce the power. 

In terms of the software, we would like to see if we can find a 
concept, and we have not yet, where we would be able to preserve 
law enforcement and still encrypt in a software mode rather than 


a hardware mode. Intellectually, that is a very formidable idea. If 
you could ever think of a way of doing it, you would have the best 
of all worlds, in that you use no power when you use software and, 
of course, it doesn't weigh an5^hing, so that would be very desir- 

Those discussions have been — ^the group that has been undertak- 
ing this has been meeting biweekly since last — ^bimonthly — I am 
sorry — since last December working on these issues. 

Senator Leahy. There is no way to get in on the conversation you 
and I had? There would be no way for somebody to put a device 
like this on the line between the two of us and pick it up, or is 

Mr. Kammer. Yes, sir, there would be, with considerable effort. 
I mean, they would have to know which line it was going to pass 
through, which is a very formidable problem in itself, but let us say 
somehow people have 

Senator Leahy. Well, let us say you are calling me from Chicago 
and I am in Vermont, but they know what office you are going to 
call from. 

Mr. Kammer. Right, so they would put it on a wire. 

Senator Leahy. So they would have to be within a few feet of 
where you are. Can they do that? 

Mr. Kammer. Then what would happen is you would not get the 
indication that it was secure. The negotiation would say "retry" in- 
stead of "secure." 

Senator Leahy. It would pick up the fact that there is something 
in the way of the connection? 

Mr. Kammer. It would know that there was what we call a man 
in the middle. It would know that there is such an individual there. 
If I went to that much trouble, probably what I would rather do 
is just put a microphone under your desk. 

Senator Leahy. Well, that was going to be my next question. 

The National Research Council of the National Academy of 
Sciences is doing a 2-year study of shortcomings in how national 
encryption policy is made, and Clipper Chip, and so on. Is there 
any reason why the administration couldn't wait to implement its 
Key Escrow Encryption System until after we got this study? 

Mr. Kammer. The urgency from our point of view was that prod- 
ucts like the TSD 3600 were coming into the marketplace, and 
what drove us was indeed that happening and the possibility — and 
this can still happen, but the technology would just whirl ahead of 
us and we would wake up one morning — suddenly there were fax 
machines everywhere, you know, and maybe suddenly there was 
the TSD 3600 with an algorithm in it that was very vexing to law 
enforcement, and that could still happen. I mean, Clipper is vol- 
untary. People could pick something else, and they may. 

Senator Leahy. Well, suppose they don't pick Clipper Chip. Are 
we going to stop the use of it? 

Mr. Kammer. No, sir. We still have a substantial influence on the 
marketplace just because of price and because of the convenience 
of communicating with the government. Additionally, the experts 
in this field, I think, tend to underestimate the formidable task of 
most normal people setting up their own personal encryption net. 
It is not a trivial thing to do. 


Indeed, many people use good algorithms and set the net up so 
poorly that they are exploitable because of the defects in how they 
set it up. In a nation where most people can't program their own 
VCR's, I mean this is something to think about. 

Senator Leahy. Senator Murray points out it is OK because our 
kids can. There is an 8-year-old girl who lives across the street and 
we call her over to set the thing up and she takes care of it for 
us. [Laughter.] 

Are foreign governments going to permit the use of Clipper Chip 
or Capstone overseas? 

Mr. Kammer. We have started some discussions with foreign gov- 
ernments. It is an interesting problem. Most of the Western Euro- 
pean countries actually have laws on the books, in many cases 
since the 1920's, that allow them to regulate all use of encryption. 
Some countries are rather active in their enforcement of these 
laws, some are rather lax, but the laws exist on the books. 

Senator Leahy. If we are setting an industry standard, what do 
you do if some of the major countries, especially those that have 
major commercial interests with us, say no, or we will let you use 
it, but only if we have the keys? 

Mr. Kammer. That is all a negotiation to take place. 

Senator Leahy. Is any of it taking place now? 

Mr. Kammer. There have been some initial discussions with se- 
lected governments. It may be that Admiral McConnell would have 
more to share with you in the following session. 

Senator Leahy. Now, I understand that software is available 
that could be used with Clipper to bypass the key escrow feature. 
A sender of information can first encrjrpt the information with soft- 
ware using DES or RSA algorithms, then transmit that information 
double-encrypted with Clipper. So, in other words, even if you 
decrypt Clipper, what you do is you peel the onion off and under- 
neath it is still an onion, an encrypted one. Doesn't that defeat 

Mr. Kammer. You are exactly correct, and indeed that would con- 
found our intent. However, you had to go through a couple of trou- 
blesome steps here and to the extent that you have done it success- 
fully, we are confounded. Most people probably won't go to that 
much trouble, experience suggests, or won't do it successfully, expe- 
rience suggests. 

Senator Leahy. Is the administration considering outlawing all 
other encryption methods? 

Mr. Kammer. We took as one of our assignments during the 
presidentially instructed review to consider that and we rejected it. 
We think that mandatory regulation in this area would be an inap- 
propriate approach for our society. 

Senator Leahy. Last year when you testified before Representa- 
tive Markers subcommittee, you were asked if foreign companies 
would purchase Clipper Chip and you replied, "I think under the 
current circumstances, probably if I were running a foreign com- 
pany, that would be a decision I would not make." Do you still feel 
that way? 

Mr. Kammer. I have been surprised. In conversations with a lot 
of the multinational companies, what they seem to assign a very 
high priority to is something they can use everywhere. They are 


substantially less concerned about the ability of our government, at 
least, to access their information. They have expressed concerns 
about what they view as the practice of some other governments 
of intercepting commercial information to share with commercial 
companies, and that does worry them, but people were less resist- 
ant than I imagined at that time. 

Senator Leahy. So if you were back there last April before Con- 
gressman Marke/s subcommittee, would you give the same an- 

Mr. Kammer. Knowing what I knew then, I think I would have 
been obliged to. 

Senator Leahy. No, but today. 

Mr. Kammer. No, I wouldn't. 

Senator Leahy. If other countries don't let Clipper Chip in, do we 
have a problem using the information superhighway that every- 
body wants to get on now? I mean, I look at Internet where I can 
go and pick up articles from a university in Australia or commu- 
nicate with somebody in Eastern Europe. I mean, what about this? 
Are we suddenly going to see countries cutting off Internet? 

Mr. Kammer. 'Riere is going to have to be at some point a world- 
wide solution to this. The power of Internet is too attractive. People 
aren't going to be willing to forgo that, and any country that 
forgoes is forgoing economic opportunity that means they won't sur- 
vive for that long. 

The critical things that you are going to need for commerce are, 
first of all, digital signature. If you want to sell or buy from people 
you have never met, you have to have some unambiguous way of 
assuring that they indeed incurred the debt and that they are lia- 
ble for it. Digital signature is that solution. You are going to need 
some way of sealing data so you can be confident that it wasn't 
changed. That is sometimes called message authentication. Those 
two things are absolutely necessary for commerce. For many kinds 
of commerce, you are also going to need some kind of confidential- 
ity that goes across borders. This is a difficult problem. 

Senator Leahy. And it becomes more difficult if Clipper Chip is 
the standard. I really cannot imagine a number of these countries 
allowing it, no matter what commercial disadvantage they might be 
put at, without having a way of cracking into it. 

Mr. Kammer. The possibility of some solution that doesn't in- 
volve a trusted third party, whoever it is — I haven't thought of any- 
thing myself, nor have I talked to anybody that has thought of any- 
thing that goes to some balance between protection from criminal 
activities balanced with privacy. What most people say it is not 
possible to do it at all and therefore let us just go a hundred per- 
cent privacy, the heck with the law enforcement. I don't know how 
it is going to come out. 

Senator Leahy. Well, can you imagine any groundswell of enthu- 
siasm here in the United States for giving these keys to some other 
country, no matter who they are? 

Mr. Kammer. I can't. 

Senator Leahy. Now, I understand that the cost of establishing 
the escrow system will be about $14 million and the cost of running 
it will be about $16 million annually. Is there any statutory author- 
ity for these expenditures? 


Mr. Kammer. During the review that we did, there was a legisla- 
tive review as well and we have the authority under the Computer 
Security Act, as it amended the NIST Organic Act. There is no au- 
thorization for the money at this point. 

Senator Leahy. Ms. Harris, I think you were very forthcoming 
with the Justice Department's view on legislation, but if there is 
enough concern here, there will be legislation. 

Senator Specter? 

Senator Specter. Thank you very much, Mr. Chairman. 

In noting the examples of cryptographic products which are being 
produced by others, are there some, Mr. Kammer, that are more 
complicated and more difficult to decrypt? 

Mr. Kammer. If you have two well-designed algorithms, then the 
measurement is usually something called the work factor, and that 
is how long it would take you to try all the possible keys that exist, 
but that first big "if is a real big "if." There are algorithms that 
are out in public use that seem to have rated very long work fac- 
tors that indeed are not all that well designed. So, first, you have 
to know is it really designed as well as it is labeled, and then, sec- 
ondly, if so, then you can start comparing work factors. Presuming 
two good algorithms, the one with the biggest work factor is pre- 
sumably the best one. 

Senator Specter. Well, you lost me. Let me try again. 

Mr. Kammer. Sure. 

Senator SPECTER. Are there some cryptogram systems that we 
cannot break at this moment? 

Mr. Kammer. Yes, sir. 

Senator Specter. Are there any cryptogram systems that cannot 
be broken with enough energy and time applied? 

Mr. Kammer. No, sir, but the amount of time could range into 
hundreds, you know, of years. 

Senator Specter. All right, so criminal elements or foreign 
agents could have access to cryptogram systems which we might 
not be able to break except with very extensive efforts. 

Mr. Kammer. That is correct. That presumes a rather sophisti- 
cated criminal who is also very disciplined about implementing the 
system, but yes. 

Senator Specter. General Harris, what pause does that give you 
for wiretaps if it is possible for organized crime or sophisticated for- 
eign agents to use these cryptographic systems? 

Ms. Harris. It is clearly of grave concern. Our hope with Clipper 
Chip is that it will become a device of choice so widespread that 
at least we will not have developed and then made available pri- 
vately a technology which will frustrate law enforcement. 

Senator Specter. With so many of these other cryptographic de- 
vices available from so many other countries — ^Australia, Denmark, 
Finland, Germany, Israel, Russia, the United Kingdom— isn't there 
sufficient competition with this kind of a device so that whatever 
we do with ours won't make a whole lot of difference? Won't foreign 
agents or criminals who want access to secret cryptography will be 
able to have it, whatever we do with Clipper Chip? 

Ms. Harris. It is our hope that if Clipper Chip becomes the 
standard of choice for legitimate businesses that there will come a 


time when even illegitimate criminal enterprises will have to com- 
municate with legitimate operators around the world. 

Senator Specter. But, General Harris, why should it become the 
product of choice when there are so many others available? 

Ms. Harris. I must tell you. Senator, that my understanding is 
that although others are available, they are not that good; that 
Clipper is — probably "light years" is strong a word, but that Clip- 
per is so much stronger than the available — is so much stronger 
and so much better than what is available that, developed and 
made available, as the intention is, to the market, it will be the 
encrypter of choice. I mean, that is the hope. At least it will be one 
that this country has developed which will not frustrate law en- 

Senator Specter. Given technology's rapid advances, is there 
any estimate as to how long it would be before someone is likely 
to produce a better system? 

Ms. Harris. I think that I would not speculate on that. Senator. 
Clearly, people are working on it, and clearly we are not just sort 
of stopped with Clipper Chip either. I mean, there must be a con- 
tinuing review and work on this subject. I mean, this is a subject 
of grave concern to law enforcement, I am sure you understand. 

Senator Specter. When the codes would be in the hands of two 
governmental agencies, is there a possibility that they might be 
used without a court order in a system which requires a court 
order for a wiretap? 

Ms. Harris. I do not believe that they will be misused without 
court order. We have built into our protocols several fail-safe provi- 
sions. For instance, as you have noted, first of all, obviously, we 
have got to have a court order. The certification by the law enforce- 
ment agent who picks up an encoded conversation pursuant to 
Clipper Chip is required to certify to both of the independent key 
escrow holders that there is a court order, when it is going to end, 
and the identifying numbers. 

Each one of those independent escrow agents has to act inde- 
pendently to send back to the decrypt device the appropriate codes 
that have to be combined in the machine, and then the responsible 
Federal officer, if it is a Federal wiretap 

Senator Specter. Who is the custodian for this code in the De- 
partment of Justice, or who is the proposed custodian? 

Ms. Harris. For the two escrow agents? 

Senator Specter. Yes. 

Ms. Harris. NIST is one, and what comes down to the command 
center at the Department of Treasury is the other right now. 

Senator Specter. So Justice will not be a custodian? 

Ms. Harris. That is absolutely correct. We have very carefully 
picked key escrow holders that are not law enforcement agencies. 

Senator Specter. Treasury has significant law enforcement func- 

Ms. Harris. Not this aspect of Treasury, Senator. 

Senator SPECTER. Which aspect is it? 

Ms. Harris. It comes down to the command center at Treasury. 
It is part of their Automated Systems Division. It is on their ad- 
ministrative side. 


Senator SPECTER. Well, it is very interesting. I recall being a 
lieutenant in the Air Force years ago in the Office of Special Inves- 
tigation in the special branch called Cryptography, and from that 
vantage point I have always doubted that anything is a secret. 

I have had experience where only three highly trusted people in 
a major investigation I ran years ago in the district attorney's office 
in Philadelphia knew about a matter; I have always had real res- 
ervations about how secret you can be. 

Let me just ask both of you one final question, and that is do you 
really think we can make it so that it is secret? General Harris? 

Ms. Harris. I believe that we can make it and, with human and 
mechanical technological safeguards, make it literally impossible 
for the whole system to be misused, and that it will function pursu- 
ant to court-authorized interceptions and function simply as a 
translator, so to speak, so that we can understand the content of 
communications that a court has authorized us to intercept. 

Senator Specter. Mr. Kammer, will it really be secret? 

Mr. Kammer. Yes, sir, I believe that we can be successful in 
making it secret. 

Senator Specter. Well, the technology is fascinating. We had the 
Director of the FBI in on a hearing not too long ago and the shoe 
was on the other foot. The Director of the FBI was asking for legis- 
lation which would enable the FBI to keep up with the crooks, with 
all of the changes in the telephone system. So this subcommittee 
has its work cut out for it, but we will try to be helpful. 

Thank you very much. Thank you, Mr. Chairman. 

The Chairman. Senator Murray? 

Senator Murray. Thank you, Mr. Chairman. 

Mr. Kammer, has NIST evaluated the foreign programs that are 

Mr. Kammer. We have occasionally evaluated selected ones out 
of interest. The NSA has done a much more thorough-going job and 
you may find it useful to discuss that in the next hearing. 

Senator Murray. OK; thank you. On April 28, the Wall Street 
Journal quoted a computer expert as predicting criminals will rou- 
tinely encrypt information within 2 years. Do you agree with that 

Mr. Kammer. I think the timeframe of 2 years is extremely un- 
likely at this point. I don't think there will be widespread use even 
among sophisticated users in 2 years. 

Senator Murray. Would Clipper Chip affect that timetable in 
any way? 

Mr. Kammer. Well, I can sort of reason by analogy. DES was re- 
leased 17 years ago and for the first 5 years it was regarded, be- 
cause it had come from the government, with fear and loathing by 
all, and then it gradually began to penetrate the marketplace and 
now it is the choice for banking and for a number of other uses. 
That process took about 12, 13 years before it really got to the 
point where it was in widespread use. I don't think this will hap- 
pen that quickly — quicker than that, but not very quickly. 

Senator MURRAY. So you don't see the Clipper Chip becoming 
commonplace for 10 to 15 years? 

Mr. Kammer. Things happen faster now than they did 15 years 
ago, but I think it will be at least 5 years before any marketplace 


choice emerges, Clipper or possibly something else. This is vol- 
untary. People may pick something else. 

Senator Murray. And you don't think that anybody can figure 
that out in the next 15 years? 

Mr. Kammer. DES still serves us well and it is 17 years old. 
DES' work factor, if you will, is 2 to the 56th. This is 2 to the 80th. 
It is 16 million times stronger than DES, Clipper is. 

Senator Murray. Do you have any way of knowing if someone 
figures it out? 

Mr. Kammer. My guess is that it would be so rapidly dissemi- 
nated on the Internet and people would be so proud of themselves 
that I would hear from many sources simultaneously. 

Senator Murray. OK; thank you. 

Senator Leahy. Well, of course, on the Internet we found Pretty 
Good Program 

Mr. Kammer. Protection, PGP. 

Senator Leahy. Pretty Good Protection. That zipped out there 
and now the government is raising issues about whether that was 
an unlawful exporting of encryption. We know how quickly things 
move. There is no reason to think that somebody else won't do that. 

I am going to submit a number of questions for the record to both 
of you, if you don't mind. I have questions ranging everywhere from 
why one supplier of Clipper Chip and the obvious questions of mo- 
nopoly that come out of that, to a number of other technical ques- 

I appreciate your testimony, and I want to tell you that I am not 
an automatic fan of Clipper Chip or the proposals of the adminis- 
tration on this. I would ask you, if you go back over the questions 
and answers and you find there is more information and more ma- 
terial you want us to have, in all fairness, please feel free to bring 
it forth. 

[The questions of committee members are found in the appendix:] 

Ms. Harris. Thank you. 

Senator Leahy. Thank you. We will take about a 2-minute recess 
to set up for the next panel. Thank you very much. 


Senator Leahy. We are back on the record. 

Our first witness will be Whitfield DifTie, an engineer and cryp- 
tographer with Sun Microsystems, Inc. Mr. Diffie is the inventor of 
the concept of public key crj^jtography and one of the founding 
members of the International Association for Cryptographic Re- 

Mr. Diffie, we will begin with you. 



Mr. Diffie. Well, we know you hear about sculduggery in these 
things. My notes just disappeared. 


Senator Leahy. The dog ate them? 

Mr. DiFFiE. I frankly don't know. I went back to pick up my 
notes and I can't find them. 

Senator Leahy. Would you like some more time? 

Mr, DiFFlE. No, no; that is fine. Thank you. Maybe this will 
make up in fi-eshness for what it lacks in preparation. 

I want to thank you, to start with, for inviting me to this. This 
is sort of appropriate. You introduced me as the inventor of the 
concept of public key cryptography. I did it working with Marty 
Hellman at Stanford University nearly 20 years ago, and the con- 
cept we introduced that is, in fact, in the TSD 3600 over there in 
some sense created this whole problem because prior to that all 
cryptographically secure networks required a central administra- 
tion that actually had the power to decrypt traffic. It had to hold 
keys in order to make introductions that would allow it to decrypt 
traffic, and the techniques that we had the privilege of pioneering 
have allowed systems like this in which the phones negotiate di- 
rectly with each other and no third party is able to read the traffic. 
So I guess I deserve whatever happens. 

Subsequently, I went to Northern Telecom. I say this just to em- 
phasize that I have had some experience with communications se- 
curity in the telecommunications environment. After a 12 years of 
that, I came to Sun Microsystems and I am now very involved with 
Internet and Internet sort of security and things of that kind. 

I have three things I was asked to comment on, and let me try 
to get through them rather quickly. I view this from a broad per- 
spective. I try not to get tied up in individual issues of this network 
of programs that are being proposed — the Clipper, the Capstone, 
the Digital Telephony bill, and the Digital Signature. 

I believe there is a fundamental issue here of whether we should 
be using the power of technology to increase the privacy of citizens 
or to expand the power of the government, and I accept the legit- 
imacy of that power in a lot of cases, to use electronic surveillance 
against its citizens and against other people. 

I think there has been a lot of what I would call irresponsible 
comment to the effect that cryptography represents something new, 
it represents some sort of absolute privacy, and since this new 
thing has appeared, it needs to be regulated. 

I think if you look back to the era of the Bill of Rights, you will 
see that at that time any two people could have a private conversa- 
tion merely by having the common sense to walk 100 yards off 
away from people. They would know there were no tape recorders, 
no shotgun microphones, and they would be having a private con- 
versation. Nobody in the world today has that assurance. If you are 
talking on a secure phone, if you are talking in a secure conference 
room, you are depending on the cooperation of hundreds of people 
who built and maintain those systems. 

So individuals can no longer achieve privacy in the way they 
could then, and the impact of this — ^the credible impact, I believe, 
for our democracy is that the integrity of political speech, which 
frequently means the privacy of political speech, is something that 
is, in the Madisonian view, the root of the legitimacy of laws in a 


I think that with the progress of technology, what has happened 
is that we are in a position where if we do not make it a national 
priority to protect individual privacy, to guarantee that when indi- 
viduals want privacy they can have it, we will have an ebbing away 
of the privacy that is essential to the democratic process. 

Now, since we are short of time here, let me turn quickly — it is 
a rare privilege to speak on an issue where it seems that matters 
of conscience and matters of business go side by side. Sun 
Microsystems does about half its business outside the country and 
we are proud to be part of what we regard as building the infra- 
structure of the future information society, and that infrastructure 
will, in particularly, be the infrastructure that will support the 
commerce of the future. 

The infrastructure of commerce has always required security. 
Ships' holds, warehouses, bills of lading — all of this is the classical 
security machinery of commerce, and if we are going to have the 
promise that the information society offers, we are going to need 
to have international standards for security. They can't be some- 
thing that are weighted to try to give particular advantages to par- 
ticular governments, particular agencies, et cetera. 

My final point — I was asked to comment on alternatives, and I 
see that light has turned yellow, which means I should be turning 
yellow, I suppose. 

Senator Leahy. No, no; don't worry about it. They give me some 
latitude around here, so go ahead. [Laughter.] 

Mr. DiFFiE. I have been asked to speak on alternatives to this 
matter, and I think you can't speak about alternatives without ask- 
ing first whether there is a problem and what the problem is, and 
therefore what the various possible solutions are. 

In looking at the evidence that has been presented before this 
committee and other places for either the problems of law enforce- 
ment or intelligence, I don't find the evidence compelling. There is 
no question that particular sources of intelligence get closed off 
from time to time, but if you look at technical intelligence and par- 
ticular technical law enforcement facilities, you will find they are 
growing by leaps and bounds. 

In electronic surveillance, warrants — I haven't been able to get 
the exact percentage that are, so to speak, room bugs and the per- 
centage that are taps, but I know that in many of these cases tradi- 
tional bugging accounts for a good deal of the information, and 
bugs are getting smaller, higher fidelity, harder to detect, et cetera. 

If you similarly look at intelligence, you find that electronic intel- 
ligence is expanding dramatically, and the reason is that improved 
particularly radio and mobile communication channels draw far 
more valuable traffic into vulnerable channels than ever is pro- 
tected by the introduction of technical measures. I don't know if 
that will go on forever, but it has been progressing steadily for dec- 
ades now. 

On the other hand, one can say that, in fact, alternatives to this 
will come about of their own accord. If you look at cryptography as 
a security measure, you have no choice but to distinguish two 
cases, communications and storage. 

Now, in communications the view is that the communications are 
ephemeral. You don't try to save your own cipher text. You don't 


worry about having to get it back if the keys to a conversation are 
lost later. As a matter of fact, you particularly want them to go 
away. Senator Specter mentioned the various spy scandals and 
things, and worrying about keeping things secret. In fact, the two 
most dramatic spy scandals prior to Ames in our own recent his- 
tory were both cryptographic spies who kept keying material after 
they were supposed to have destroyed it and then sold it to the 

The advantage of a device like the original TSD 3600 or the 
STU-III is that it creates ephemeral keys that exist only for the 
duration of one conversation and then are destroyed when the con- 
versation ends and cannot be rederived from any of the surviving 
information. On the other hand, to create escrow agents, no matter 
how carefully constructed, is to create keys that stay in existence 
for months or years or decades after the conversations that they 
protected, and that is to create a potential loophole of immense pro- 

On the other hand, if you look at cryptography to protect storage, 
then you have no choice at an3rthing above the individual level but 
to provide alternative mechanisms of access to the information. If 
a corporation were to keep its records encrypted — and there would 
be many benefits to that; that would mean it could ship them out 
over the Internet to storage sites so that if its headquarters burned 
down it would be able to get them back immediately. It would 
nonetheless have to be sure that somebody other than one archivist 
or one controller or something like that had the keys that protected 
this information. There would have to be alternative mechanisms 
that would be under the control of the corporate officers and they 
would provide them 

Senator Leahy, They go through some of those same questions 
about who has the keys even now in storing information in elec- 
tronic files because you at least need a password to get into that 

Mr. DiFFlE. Yes, although typically less things are being done 
cryptographically. Almost by definition, there are other ways other 
than passwords to get around them. 

Senator Leahy. It gives you a trap door. 

Mr. DiFFiE. Well, we don't usually think of it that way. It is just 
sort of a normal maintenance matter that if you take the machine 
apart, then you get at the information in other ways. 

Since I am aware of time, let me sum up by saying that suppose 
we make a mistake in this decision; then there are two ways we 
can make the mistake. We can either fail to adopt a key escrow 
system now and when one is perhaps necessary, or we can adopt 
a key escrow system when one is, in fact, not necessary. Which of 
those mistakes would be worse? 

My own view is that if we fail to adopt one this year — this talk 
of getting out ahead of the curve, and so forth, is really not very 
much to the point. Given that the life cycle of electronic equipment 
is rather short — devices like that, people expect to replace every 2, 
3, 5, or 7 years. If this market domination strategy for introducing 
new cryptographic equipment that has this back door built into it 
is taken up at any time — if it can succeed at all, it will succeed in 
a few years. 


On the other hand, suppose we do adopt something, despite all 
its controls that I believe are very dangerous to the process of de- 
mocracy and that represents a statement, in principle, somehow for 
the first time that people don't really have a right to have con- 
fidence in the measures they take to protect their own communica- 
tions. Then I believe we will run the risk of building a bureaucracy 
that is now defending this new power that it has gotten, and that 
that would be very difficult to dislodge even if we subsequently de- 
cided it had been a bad idea. 

Thank you very much. 

[The prepared statement of Whitfield Diffie follows:] 

Prepared Statement of Dr. Whitfield Diffie 

I would like to begin by expressing my thanks to Senator Leahy, the other mem- 
bers of the committee, and the committee staff for the opportunity not only of ap- 
pearing before this committee, but of appearing in such distinguished company. 

I think it is also appropriate to say a few words about my experience in the field 
of communication security. I first began thinking about cryptography while working 
at Stanford University in the late summer of 1972. My feeling was that cryptog- 
raphy was vitally important for personal privacy and my goal was to make it oetter 
known. I am pleased to say that if I have succeeded in nothing else, I have achieved 
that goal. Toaay, cryptography is a bit better known. In 1978, I walked through the 
revolving door from academia to industry and for a dozen years was "Manager of 
Secure Systems Research" at Northern Telecom. In 1991, I took my present position 
with Sun Microsystems. This has allowed me an inside look at the problems of com- 
munication security from the viewpoints of both the telecommunications and com- 
puter industries. I am also testifying today on behalf of the Digital Privacy and Se- 
curity Working Group, a group of more than 50 computer, communications and pub- 
lic interest organizations and associations dedicated to working on communications 
privacy issues. 


Just over a year ago, the Administration revealed plans for a program of key es- 
crow technology best known by the name of its flagship product the Clipper chip. 
The program's objective is to promote the use of cryptographic equipment incor- 
porating a special back door or trap door mechanism that will permit the Federal 
Government to decrypt communications without the knowledge or consent of the 
communicating parties when it considers this necessary for law enforcement or in- 
telligence pvu*poses. In effect, the privacy of these communications will be placed in 
escrow witn the Federal Government. 

The committee has asked me to address myself to this proposal and in particular 
to consider three issues: 

• Problems with key escrow, particularly in the area of privacy. 

• The impact of the key escrow proposal on American business both at home and 

• Alternatives to key escrow. 


The problems of today are usually best viewed in historical perspective. A century 
ago, the world witnessed the development of the first global telecommunications sys- 
tems, with the appearance of transoceanic cables and later radio. The new tech- 
nology posed an unprecedented challenge to national sovereignty. Countries could 
still control the movement of people and goods across their borders, but ideas and 
information could now move around the world without being subject to the scrutiny 
of customs or immigration officials. 

The challenge, of^course, is one that the notion of national sovereignty and nation 
state survived. In part this is due to the rise of mechanisms of censorship and regu- 
lation to control the new media. In part it is due to the fact that telecommunications 

1 Dr. Diffie is also testifying on behalf of the Digital Privacy and Security Working Group, a 
group of more than 50 computer, communications and public interest organizations and associa- 
tions working on communications privacy issues. 


proved tremendously useful to governments themselves. The new tool was promptly 
exploited by the European colonial powers, particularly Britain, to bind tneir em- 
pires more tightly together than had ever been possible in the past. 

Telecommunications transformed government, giving admimstrators real time ac- 
cess to their representatives in remote parts of the world. It transformed commerce, 
facilitating world wide enterprises and beginning the internationalization of busi- 
ness that nas become the byword of the present decade. It transformed warfare bv 
giving generals the abiUty to operate from the relative safety of rear areas and ad- 
mirals the capacity to control fleets scattered across oceans. 

Once again, we are in the midst of a revolution in telecommunications technology 
and once again we hear the warning that national security, and perhaps even na- 
tional sovereignty, are in danger. As the most powerful country in the world and 
the country whose welfare is the most dependent on both the security of its own 
communications and its success in communications intelligence, the United States 
confronts this challenge most directly. 

In the course of discussing the key escrow program over the past year, I have 
often encountered a piecemeal viewpoint that seeks to take each individual program 
at face value and treat it independently of the others. I believe, on the contrary, 
that it is appropriate to take a broad view of the issues. The problem confronting 
us is assessing the advisability and impact of key escrow on our society. This re- 
quires examining the effect of private, commercial, and possibly criminal use of 
cryptography and the advisability and effect of the use of communications intel- 
ligence techniques by law enforcement. In so doing, I will attempt to avoid getting 
bogged down in the distinctions between the Escrowed Encryption Standard 
(FIPS185) with its orientation toward telephone communications and the CAP- 
STONE/TESSERA/MOSAIC program with its orientation toward computer net- 
works. I will treat these, together with the Proposed Digital Signature Standard and 
to a lesser extent the Digital Telephony Proposal, as a unified whole whose objective 
is to maintain and expand electronic interception for both law enforcement and na- 
tional security purposes. 


When the First Amendment became part of our constitution in 1791, speech took 
place in the streets, the market, the fields, the offic^, the bar room, the bedroom, 
etc. It could be used to express intimacy, conduct business, or discuss politics and 
it must have been recognized that privacy was an indispensable component of the 
character of many of these conversations. It seems that the right — in the case of 
some expressions of intimacy even the obligation — of the participants to take meas- 
ures to guarantee the privacv of their conversations can hardly have been in doubt, 
despite the fact that tne right to speak privately could be abused in the service of 

Today, telephone conversations stand on an equal footing with the venues avail- 
able then. In particular, a lot of political speech — from friends discussing how to 
vote to candidates planning strate^ with tneir aids — occurs over the phone. And, 
of all the forms of speech protected by the first amendment, political speech is fore- 
most. The legitimacy of the laws in a democracy grows out of the democratic proc- 
ess. Unless the people are free to discuss the issues — and privacy is an essential 
component of many of these discussions — that process cannot take place. 

There has been a very important change in two hundred years, however. In the 
seventeen-nineties two ordinary people could achieve a high degree of security in 
conversation merely by the exercise of a Uttle prudence and common sense. Giving 
the ordinary person comparable access to privacy in the normal actions of the world 
today requires the ready availability of complex technical equipment. It has been 
thoughtlessly said, in discussions of cryptographic policy, that cryptography brings 
the unprecedented promise of absolute privacy. In fact, it only goes a short way to 
make up for the loss of an assurance of privacy that can never be regained. 

As is widely noted, there is a fundamental similarity between the power of the 
government to intercept communications and its ability to search premises. Rec- 
ognizing this power, the fovuth amendment places controls on the government's 
power of search and similar controls have been placed by law on the use of wiretaps. 
There is, however, no suggestion in the fourth amendment of a guarantee that the 
government will find what it seeks in a search. Just as people have been free to 

firotect the things they considered private, by hiding them or storing them with 
riends, they have been free to protect their conversations from being overheard. 

The iU ease that most people feel in contemplating police use of wiretaps is rooted 
in awareness of the abuses to which wiretapping can be put. Unlike a search, it is 
so unintrusive as to be invisible to its victim and this inherently undermines ac- 


countability. Totalitarian regimes have given us abundant evidence that the use of 
wiretaps and even the fear of their use can stifle free speech. Nor is the political 
use of electronic surveillance a strictly foreign problem. We have precedent in con- 
temporarv American history for its use by the party in power in its attempts to stay 
in power? 

The essence of the key escrow program is an attempt use the buving power and 
export control authority of government to promote standards that will deny ordinary 
people ready options for true protection of their conversations. In a world where 
more and more communication take place between people who frequently can not 
meet face to face, this is a dangerous course of action. 


The objections raised so far apply to the principle of key escrow. Objections can 
also be raised to details of the present proposal. These deal with the secrecy of the 
algorithm, the impact on security of the escrow mechanism, and the way in which 
the proposal has been put into effect. 

One objection that has been raised to the current key escrow proposal is that the 
cryptographic algorithm used in the Clipper Chip is secret and is not available for 
public scrutiny. Ont counter to this objection is that the users of cryptographic 
equipment are neither qualified to evaluate the quality of the algorithm nor, with 
rare exceptions, interested in attempting the task. In a fundamental way, these ob- 
jections miss the point. 

Within the national security establishment, responsibility for communication secu- 
rity is well understood. It rests with NSA. Outside of that establishment, particu- 
larly in industry, that responsibility is far more defuse. Individual users are not 
typically concerned with the ftinctioning of pieces of equipment. They acquire trust 
through a complex social web comprising standards, corporate security officers, pro- 
fessional societies, etc. A classified standard foisted on the civilian sector will have 
only one element of this process, federal endorsement. 

In explaining the rationale behind key escrow at the 1993 National Computer Se- 
curity Conference, CUnt Brooks of NSA, argiaed that key escrow was not a trap door, 
reserving that term for a more mathematical approach in which the algorithm is 
not kept secret. Brooks held that this idea had been rejected on the grounds that 
the trap door could be found and exploited by opponents. Ironically, a similar weak- 
ness lurks within the escrow approach, because the cost to an opponent of extracting 
the family key and unit key of a chip from the chips communications is only margin- 
allv greater than the cost of extracting the key for an individual message. 

Finally, there are disturbing aspects to the development of the key escrow FIPS. 
Under the Computer Security Act of 1987, responsibility for security of civilian com- 
munications rests with the National Institute of Standards and Technology. Pursu- 
ant to this statute, the Escrowed Encryption Standard appeared as Federal Informa- 
tion Processing Standard 185, under the auspices of the Commerce Department. Ap- 
parently, however, authority over the secret technology underlying the standard and 
the documents embodying this technology, continues to reside with NSA. We thus 
have a curious arrangement in which a Department of Commerce standard seems 
to be under the effective control of a Department of Defense agency. This appears 
to violate at least the spirit of the Computer Security Act and strain beyond credi- 
bility its provisions for NIST's making use of NSA's expertise. 


Business today is characterized by an unprecedented freedom and volume of trav- 
el by both people and goods. Ease of communication, both physical and electronic, 
has ushered in an era of international markets and multinational corporations. No 
country is large enough that its industries can concentrate on the domestic market 
to the exclusion of all others. When foreign sales rival or exceed domestic ones, the 
structure of the corporation follows suit with new divisions placed in proximity to 
markets, materials, or labor. 

Security of electronic communication is as essential in this environment as secu- 
rity of transportation and storage have been to businesses throughout history. The 
communication system must ensure that orders for goods and services are genuine, 
guarantee that payments are credited to the proper accounts, and protect the pri- 
vacy of business plans and personal information. 

Two new factors are making security both more essential and more difficult to 
achieve. The first is the rise in importance of intellectual property. Since much of 
what is now bought and sold is information varjdng from computer programs to sur- 
veys of customer buying habits, information security has become an end in itself 
rather than just a means for ensuring the security of people and property. The sec- 


ond is the rising demand for mobility in communications. Traveling corporate com- 
puter users sit down at workstations they have never seen before and expect the 
same environment that is on the desks in their offices. They carry cellular tele- 
phones and communicate constantly by radio. They haul out portable PCs and dial 
their home computers from locations around the globe. With each such action they 
expose their information to threats of eavesdropping and falsification barely known 
a decade ago. 

Because this information economy is relentlessly global, no nation can successfully 
isolate itself from international competition. The communication systems we build 
will have to be interoperable with those of other nations. A standard based on a 
secret American technology and designed to give American inteUigence access to the 
communications it protects seems an unlikely candidate for widespread acceptance. 
If we are to maintain ovu- leading position in the information market places, we 
must give our full support to the development of open international security stand- 
ards that protect the interests of all parties fairly. 


The key escrow program also presents the spectre of increased regulation. 
FIPS185 states that "Approved implementations may be procured by authorized or- 
ganizations for integration into security equipment." This raises the question of 
what organizations will be authorized and what requirements will be placed upon 
them? Is it likely that people prepared to require that surveillance be built into com- 
munication switches would shrink from requiring that equipment make pre- 
encryption difficult as a condition for getting "approved implementations'? Such re- 
quirements have been imposed as conditions of export approval for security equip- 
ment. Should industry's need to acquire tamper resistant parts force it to suomit 
to such requirements, key escrow wUl usher in an era of unprecedented regulation 
of American development and manufacturing. 


It is impossible to address the issue of alternatives to key escrow, without asking 
what, if any, is the problem. 

In recent testimony before this committee, the FBI has portrayed communications 
interception as an indispensable tool of police work and argued that the utility of 
this tool is threatened by developments in modern communications. Unfortunately, 
this testimony uses the broader term "electronic surveillance" almost exclusively. Al- 
though it refers to a number of convictions, it names not a single defendant, court, 
or case. This raises two issues: the effectiveness of electronic surveillance in general 
and that of communications interception in particular. 

It is easier to believe that the investigative and evidential utility of wiretaps is 
rising that to believe it is falling. This is partly because criminals, like everyone 
else, does more talking on the phone these days. It is partly because modem sys- 
tems Uke provide much more information about a call, telling you where it came 
from in real time even when it is from a long way away. 

With respect to other kinds of electronic surveillance, the picture looks even 
brighter. Miniaturization of electronics and improvements in digital signal process- 
ing are making bugs smaller, improving their fidelity, making them harder to de- 
tect, and making them more reliable. Forms of electronic surveillance for which no 
warrant is held to be necessarily, particularly TV cameras in public places, have be- 
come widespread. This creates a base of information that was, for example, used in 
two distinct ways in the Tylenol poisoning case of some years back. 

Broadening the consideration of high tech crime fighting tools to include vehicle 
tracking, DNA fingerprinting, individual recognition by infrared tracing of the veins 
in the face, and database profiUng, makes it seem unlikely that the failures of law 
enforcement are due to the inadequacy of its technical tools. 

If we turn our attention to foreign intelligence, we see a similar picture. Commu- 
nications intelligence today is enjoying a golden age. The steady migration of com- 
munications fi-om older, less accessible, media, both physical and electronic, has 
been the dominant factor. The loss of information resulting from improvements in 
security has been consistently outweighed by the increased volume and quahty of 
information available. As a result, the communications intelligence product has been 
improving for more than fifl;y years. 

The situation, furthermore, is improving. The rising importance of telecommuni- 
cations in the life of industrialized countries coupled with the rising importance of 
wireless communications, can be expected to give rise to an intelligence bonanza in 
the decades to come. 


Mobile communication is one of the fastest growing areas of the telecommuni- 
cations industry and the advantages of cellular phones, wireless local area net- 
works, and direct satellite communication systems are such that they are often in- 
stalled even in applications where mobility is not required. SateUite communications 
are in extensive use, particularly in equatorial regions and cellular telephone sys- 
tems are being widely deployed in rural areas throughout the world in preference 
to undertaking the substantial expense of subscriber access wiring. 

New technologies are also opening up new possibilities. Advances in emitter iden- 
tification, network penetration techniques, and the implementation of cryptanaljrtic 
or crypto-diagnostic operations within intercept equipment are likely to provide 
more new sources of intelligence than are lost as a result of commercial use of cryp- 

It should also be noted that changing circumstances change appropriate behavior. 
Although intelligence continues to play a vital role in the post cold war world, the 
techniques that were appropriate against an opponent capable of destroying the 
United States within hours may not be appropriate against merely economic rivals. 

If, however, that we accept that some measure of control over the deployment of 
cryptography is needed, we must distinguish two cases: 

• The use of cryptography to protect communications and 

• The use of cryptography to protect stored information. 

It is good security practice in protecting communications to keep any keys that 
can be used to decipher the communications for as short a time as possible. Discov- 
eries in cryptography in the past two decades have made it possible to have secure 
telephones in which the keys last only for the duration of the call and can never 
be recreated, thereafter. A key escrow proposal surrenders this advantage by creat- 
ing a new set of escrowed keys that are stored indefinitely and can always be used 
to read earlier traffic. 

With regard to protection of stored information, the situation is quite different. 
The keys for decrypting information in storage must be kept for the entire lifetime 
of the stored information; if they are lost, the information is useless. An individual 
might consider encrypting files and trusting the keys to memory, but no organiza- 
tion of any size coiild risk the bulk of its files in this fashion. Some form of key 
archiving, backup, or escrow is thus inherent in the use of cryptography for storage. 
Such procedures will guarantee that encrypted files on disks are accessible to sub- 
poena in much the same way that file on paper are today. 

In closing, I would like to as which would be the more serious mistake: adopting 
a key escrow system that we do not need or fail to move quickly enough to adopt 
one that we do. 

It is generally accepted that rights are not absolute. If private access to high- 
grade encryption presented a clear and present danger to society, there would be 
Uttle political opposition to controlling it. The reason there is so much disagreement 
is that there is so little evidence of a problem. 

If allowing or even encouraging wide dissemination of high-grade cryptography 
proves to be a mistake, it is likely to be a correctable mistake. Generations of elec- 
tronic equipment follow one another very quickly. If cryptography comes present 
such a problem that there is a popular consensus for regulating it, this will be just 
as possible in a decade as it is today. If on the other hand, we set the precedent 
of bmlding government surveillance capabilities into our security equipment we risk 
entrenching a bureaucracy that will not easily surrender the power this gives. 


I have treated some aspects of the subjects treated here at greater length in other testimony 
and comments and copies of these have been made available to the committee. 

'The Impact of Regulating Cryptography on the Computer and Communications Industries" 
Testimony Before the House Subcommittee on Telecommunications and Finance, 9 June 1993. 

"The Impact of a Secret Cryptographic Standard on Encryption, Privacy, Law Enforcement 
and Technology" Testimony Before the House Subcommittee on Science and Technology, 11 May 

Letter to the director of the Computer Systems Laboratory at the National Institute of Stand- 
ards and Technology, commenting on the proposed Escrowed Encryption Standard, 27 Septem- 
ber 1993. 

Senator Leahy. Thank you, 

Mr. Walker, we had earlier the question asked of, the Justice De- 
partment whether you could use other encrjrption devices for voice 
communications through our computers. The answer was some- 


what different than I had expected. I will turn it to you and let you 
do your own testimony. 


Mr. Walker. Thank you very much, Mr. Chairman. My name is 
Steve Walker and I am the founder and President of Trusted Infor- 
mation Systems, an 11-year old computer security company. Before 
I started TIS, I had spent 22 years with the Defense Department 
at the National Security Agency, the Advanced Research Projects 
Agency, and the Office of the Secretary of Defense. 

Before we get to the demo of an alternative to the answer that 
you got from the Justice Department, I would like to make a few 
comments and then move to the demo. 

Senator Leahy. Sure. 

Mr. Walker. I am opposed to the key escrow cryptography as 
proposed by the administration's Clipper initiative. I believe that 
any government program that is as potentially invasive of the pri- 
vacy rights of American citizens as key escrow is should only be 
imposed after careful review by the Congress and the passage of 
legislation, legislation that is signed by the President and, if nec- 
essary, declared constitutional by the Supreme Court. 

In 1968, we went through a very painful process of authorizing 
wiretaps under very stringent conditions, and I believe that the 
government imposition of key escrow procedures deserves no less 
careful consideration. I believe that many Americans will accept 
government-imposed key escrow if it is established through law 
and if the holder of the keys is in the judiciary branch of the gov- 
ernment. But without such action, I suspect most Americans will 
remain firmly opposed to Clipper. 

I am concerned that there appears to be very little business case 
for the administration's assertions that key escrow will maintain 
law enforcement's ability to wiretap criminals. I fear that, as pres- 
ently being pursued, the Clipper initiative will be an expensive pro- 
gram that will yield few, if any, results. 

I am actually angered that the government's fixation on law en- 
forcement and national security interests has delayed the estab- 
lishment of a digital signature standard for over 12 years and done 
considerable harm to the economic interests of the United States. 
Mr. Kammer talked about a digital signature standard and how 
important it was, but, in fact, because of the fixation on the inter- 
ests of law enforcement and national security, we don't have one 
when we could have had it 12 years ago. 

I am also opposed to continued imposition of export controls on 
products that employ cryptography that are already routinely 
available throughout the world, as we will discuss here in a mo- 
ment. The only effects that these controls are having is to deny 
U.S. citizens and businesses protection of their own sensitive infor- 
mation from foreign and domestic industrial espionage, and to 
place U.S. information system producers at a severe disadvantage 
in a rapidly growing market. I also wish to say, and I am sorry 
Senator Murray is not here, that I very strongly support her bill, 
S. 1846, and Maria Cantwell's bill, H.R. 3627, in their attempts to 
alleviate this export control problem. 


I was very pleased when Ray Kammer brought in the Clipper 
TSD and demonstrated it because I wanted to talk just for a 
minute about how we got into this mess, the Clipper mess, in some 
sense. This is the culprit that began it. This is a TSD that looks 
very much like the one that you used a few minutes ago, except 
at the end of the TSD 3600 there is a "D." This device was initially 
announced back in September 1992 by AT&T, with some public- 
ity — two-page ads in Business Week and elsewhere — and it has 
DES in it. In some very real sense, it was the introduction of this 
device that caused NSA and the FBI to go into a flurry to try to 
find an alternative. 

In January 1993, AT&T began shipping these devices. I got eight 
of them at that time, but they told us they were only on loan. You 
couldn't buy them, and they promised us there would be something 
better in April. This was in 1993. In April, when the administra- 
tion announced the Clipper initiative, the same day AT&T pledged 
their support for it. Unfortunately, Clipper Chips were not ready 
and so AT&T cooled its heels. 

Then very quietly, in August 1993, yet another device was intro- 
duced. This is the 3600 P. It has a proprietary algorithm in it, pro- 
prietary to AT&T. We don't know what its quality is relative to 
DES, but it can't be exported, so it must be pretty good. 

These devices have been on sale — I bought this one from AT&T — 
since last August and they are now selling both the Clipper device 
that has an "E" after the 3600 for "escrow," presumably, and the 
P device to the marketplace. When you ask them what are their 
thoughts on this, they say, well, let's let the market decide what 
it wants. So part of the discussion this morning that you have al- 
ready had about are people going to buy the 3600 escrow device — 
there already is an alternative that they can pick and let the mar- 
ket, in fact, decide. 

In the interests of time, I have done a quick market analysis 
which I won't spend time on. I asked AT&T how many TSD's they 
expected to sell and I was told by one individual they expected to 
sell about as many as the STU-III's that are out there, the very 
popular classified phone systems. There are about 250,000 of those 
out there, and if you look at the chart comparing the number of 
wiretaps that are anticipated and the 500 million phones that are 
in the United States now, my estimate — and I basically challenge 
the administration to produce some contrary numbers that show I 
am wrong. If there are 250,000 such devices sold, there will be 2.5 
key escrow calls intercepted each year. If the $16 million estimate 
for operating the key escrow centers is amortized across that, each 
one of those calls will cost $6.4 million. 

Now, if the numbers are wrong, if we increase it by a factor of 
10 or a factor of 100, when we get to the point where we have 25 
million of these devices, 1 on every 20 telephones, we are still only 
going to get a key escrow call every IV2 days and it is still going 
to cost $64,000 for that call, which is twice the price of a current 
wiretap that doesn't involve cryptography. 

I would like to switch for a moment to the export control situa- 
tion just to emphasize the things that we have here on the side. 
The administration has asserted that export controls are not harm- 
ful to U.S. business because there are no commercially available 


foreign products involving cryptography. Last year, the Software 
Publishers Association commissioned a study to look at this issue 
and we have our latest results over in this chart. 

We have now found over 340 foreign products that involve cryp- 
tography coming from 22 countries around the world. One hundred 
fifty-five of these use DES and 70 of them at least use it with soft- 
ware. We have been able to purchase products from the companies 
listed on the bottom there and those are on display. The notebooks 
that we have there contain the product literature that we have on 
each of the products that are there. It is arguable that this is not 
an overwhelming number that we have found, but it certainly ap- 
pears more significant than many people have suspected. 

Another thing that we have found from our survey, though, that 
is frightening to me, at least, and to U.S. businesses is that those 
products that we obtained are DES software products. We got them 
from Australia, Denmark, Finland, Germany, Israel, Russia and 
the United Kingdom. We got them without any trouble at all. In 
many cases, these people have distributors around the world, some- 
times in the United States. You can call a German company on an 
800 number. Somebody in Connecticut answers it, and you will 
have a DES software product on your desk the next day. We cannot 
ship those back. We would be in complete violation of U.S. export 

The issue here is that it is not a level playing field. Our allies, 
our friends, in England and in Germany are routinely shipping 
products like this to us which we can't ship to them, and that is 
a very grave concern and why I have particular support for the 

Senator Leahy. So if you were an American company with 
branches overseas and you wanted to use this, you would have the 
branches overseas buy the product from the source overseas and 
then ship to you the product that you would use back here? 

Mr. Walker. Well, if it was my company overseas, my subsidi- 
ary, I can get approval from the State Department. It takes about 
6 months to do that, but you are right. 

Senator Leahy. Yes; I understand that. I am talking about a 

Mr. Walker. Multinational companies are routinely buying prod- 
ucts from foreign sources. In my written testimony, I have several 
examples. A company called Semaphore in California listed about 
15 examples of lost sales recently that they have encountered, and 
everyone has these experiences. Fortune Magazine this month has 
a two-page article in which the president of Sun and other compa- 
nies talk about how serious this problem is and how little good it 
is doing anyone. 

Senator Leahy. The laptops that we are going to use in your 
demonstration didn't come with encryption capability already pro- 
grammed in them, did they? 

Mr. Walker. No; they did not. 

Senator Leahy. Was it very difficult to add the DES program to 

Mr. Walker. No; the gentleman who did it is sitting behind me. 
It took him about a day to add it. Basically, if you wish, sir — ^yours 
looks like it is in working order there. 


Senator Leahy. The computer is in working order. That doesn't 
necessarily mean that I am going to know what I am doing with 

Mr. Walker. Well, it is going to be easy. I will explain it to you, 


Senator Leahy. I have got the cursor on "talk" right now. 

Mr. Walker. Don't hit yet. 

Senator Leahy. I mean, it is so tempting. My hand is just twitch- 
ing here. 

Mr. Walker. OK; go ahead. It is all right. 

Senator Leahy. No, no, I am not going to. Go ahead, go ahead. 

Mr. Walker. It is all right if you would like to do that. 

These are basically Macintosh PowerBooks. They are actually 
last year's models. If we had had this year's models, it would run 
a little bit faster. This is a program that is available for about $70 
from a company called Two Way Communications in San Diego, 
CA. It is routinely available to anybody who wants it. These 
laptops have built into them speakers and microphones, and there- 
fore they have the ability to handle multimedia communications of 
all sorts. 

Basically, what we did was obtain this piece of software from the 
San Diego Company which, incidentally, is written by a program- 
mer in Moscow. That has nothing to do with the cryptography at 
all, just an indication of the worldwide nature of all of this. It has 
on it a button called "talk" which, if you hit the cursor, will allow 
you to talk to me. If you would like to do that, go ahead. 

That is working. 

Senator Leahy. OK; now, it says "stop." Is that OK? 

Mr. Walker. Yes; when you are activating it, it will then give 
you the opportunity to turn it off by hitting the "stop" button. Now, 
if you notice down below there is a little button called "encrypt 
sound" just below the "talk" button. It is a little square. 

Senator Leahy. Yes. 

Mr. Walker. If you will just move the cursor down and press 
that, sir? 

Senator Leahy. Got it. 

Mr. Walker. Now, you are speaking to me in DES encrypted 

Senator Leahy. All right. 

Mr. Walker. It doesn't sound any different than it did before. 

Senator Leahy. No. I am just going to adjust my volume here a 
little bit. 

Mr. Walker. The volume needs to be adjusted in the room. 

Senator Leahy. So, now, is the sound going through, encrypted 
at your end? 

Mr. Walker. Well, no. It is in the clear at my end. 

Senator Leahy. I mean, it is encrypted between here and where 
you are. 

Mr. Walker. Yes; if you would hit the "stop" button, then I will 
talk through you and be able to indicate to you how it would sound 
if you were intercepting this. 

Senator Leahy. I just hit the "stop" button. 

Mr. Walker. OK; now, I will turn mine on. The reason we do 
this one way right now — I mean, one at a time — is because of the 


lack of power in these laptop computers. If we had PC's sitting 
here, then it would be much better. 

Now, I am going to hit the "encrypt" button. Now, I am speaking 
to you encrypted. Can you hear me or do we need to adjust the 

Senator Leahy. No; I can hear it. 

Mr. Walker. We are getting feedback through the speaker sys- 
tem, I am afraid. Now, if I decided I didn't want you to hear what 
I was doing anymore, I could hit the "encrypt" button again. This 
is what you would hear if you had the wrong key. I will turn it off 
so that we don't have to do that again. This is the same thing that 
they talked to us about with the tape that they were playing where 
you hear the white noise. 

Essentially, all I did was change the key that I am using, and 
you didn't know what the key was and so what you heard was 
noise. So if you were somewhere out on the net intercepting this, 
that is what you would get if we didn't have the same key. 

Basically, that is the demo. It is that laptop computers can be 
used as telephones or as communications vehicles over the Internet 
or anywhere else on a routine basis. This stuff is available right 
now, and adding cryptography to it was fairly trivial. It took a day 
or so to find where to put it in here and then just take DES from 
anywhere in the world and plug it in. The effect on you and me 
hearing this is, in fact, no different when it is encrypted than when 
it is not. 

I will turn mine off. You can turn it back on if you would like. 

Senator Leahy. I hit "stop." I think I am off. 

Mr. Walker. I can hear you now. 

Senator Leahy. You can? 

Mr. Walker. Yes. 

Senator Leahy. Now, what do I do to turn this sucker off en- 

Mr. Walker. You just hit the "stop" button and close the top. 
The point of this is not that there is any magic here; in fact, that 
there isn't any magic here. 

Senator Leahy. But it also makes a point I asked earlier in the 
hearing of is it possible to just set this up with a commercial 
encryption program. 

[Stephen T. Walker submitted the following materials:] 

Prepared Statement of Stephen T. Walker 

I am pleased to testify today about the concerns I share with many Americans 
about the Administration's Clipper Initiative and the negative impact that U.S. ex- 
port control regulations on cryptography are having on U.S. national economic inter- 

My name is Stephen T. Walker. I am the founder and President of Trusted Infor- 
mation Systems (TIS), Inc., an eleven year old frnn with over 100 employees. With 
offices in Meiryland, California, and England, TIS specializes in research, product 
development, and consulting in the fields of computer and communications security. 

My background includes twenty-two years as an employee of the Department of 
Defense, the National Security Agency (NSA), the Advanced Research Projects 
Agency, and the Office of the Secretary of Defense. During my final three years in 
government, I was the Director of Information Systems for the Assistant Secretary 
of Defense for Communications, Command, Control, and Intelligence (C3I). 

For the past three years, I have been a member of the Cornputer System Security 
and Privacy Advisory Board, chartered by Congress in the Computer Security Act 
of 1987 to advise the Executive and Legislative Branches on matters of national con- 
cern in computer security. In March 1992, the Board first called for a national re- 


view of the balance between the interests of law enforcement/national security and 
those of the pubUc regarding the use of cryptography in the United States. The 
Board has been heavily involved in this review, receiving public input on the Ad- 
ministration's CUpper initiative, announced by the President on April 16, 1993, and 
reaffirmed on February 4, 1994. I am also a member of the National Institute of 
Standards and Technology's (NIST) Software Escrowed Encryption Working Group, 
which is examining the possibihties for alternatives to the CUpper key escrow sys- 


My testimony today will include my concerns with the Administration's Clipper 
key escrow program and U.S. Government's rigid control of the export of products 
containing cryptography in the face of growing worldwide availabihty and easy ex- 
port of such products by other countries. In Summary: 

I am opposed to key escrow cryptography as proposed in the Administration's 
CUpper Initiative. 

I beUeve that any government procedure that is as potentiaUy invasive of the 
privacy rights of American citizens as key escrow should only be imposed after 
careful Congressional consideration and passage of legislation by the Congress, 
which is signed into law by the President and determined to be Constitutional 
by the Supreme Court. In 1968, properly authorized government wiretaps of pri- 
vate citizens were legaUzed through this process. Government imposition of key 
escrow procedures deserves no less careful consideration. 

I beUeve that most Americans wovild accept government-imposed key escrow 
if it was established by law and if the key escrow center was located in the Ju- 
dicial Branch of government. 

I am concerned that there is not a sound "business" case to support^ the Ad- 
ministration's assertion that key escrow will maintain law enforcement's ability 
to wiretap the communications of criminals. I fear that as presently being pur- 
sued, the CUpper Initiative will be an expensive program that will yield few if 
any results. 

I am angered that the government's fixation on law enforcement and national 
security interests has delayed estabUshment of a Digital Signature Standard 
(DSS) for over twelve years and done considerable harm to the economic inter- 
ests of the United States. 

I am also opposed to the continued imposition by the U.S. Government of ex- 
port controls on products and technologies employing cryptography that are rou- 
tinely available throughout the world. The only effects these controls have are 
to deny U.S. citizens and businesses protection for their sensitive information 
from foreign and domestic industrial espionage and to place U.S. information 
system products at a disadvantage in the rapidly growing international market- 


A number of recent Administration initiatives have heightened the concerns of 
many Americans: 

• The digital telephony initiative, in which the government wants to ensure that 
it can always tap everyone's phone when it has the legal authority to do so, 

• The Clipper key escrow initiative, in which the Administration wants to be sure 
that it can easily break the cryptography of American citizens when it has the 
legal authority to do so, 

• The Digital Signature Standard non-initiative, in which the government has re- 
peatedly, for twelve years, failed to achieve a basic technological capabiUty that 
is widely acknowledged as being essential to electronic commerce, and 

• The continued imposition of controls on the export of cryptographic products in 
spite of clear evidence of foreign availabihty of similar products and foreign gov- 
ernments' failure to impose similar export controls, and in contrast to the mas- 
sive relaxation of export controls in other areas of high technology. 

AU of these activities, taken together, lead one to the ominous conclusion that the 
Administration's goal is to severely restrict the average American's abiUty to protect 
his or her sensitive information with the hope that in so doing, it will also restrict 
such capabiUties of criminals, terrorists, and those opposed to the United States. 

All of these initiatives are symptoms of the fundamental national dilemma we 
face of finding a proper balance between: 


• The rights of private individuals and organizations to protect their own sen- 
sitive information and, in effect, our national economic interests and 

• The needs of law enforcement and national security interests to be able to mon- 
itor the communications of our adversaries. 

Until we can strike a reasonable balance between these basic needs, this debate 
will continue. Unfortunately, the Administration's position is focused solely on the 
interests of law enforcement and national security to the exclusion of the rights of 
private citizens and the nation's economic interests. 

I believe that only the Congress can determine where a reasonable balance lies 
between Americans' right to privacy and our national security interests. 

We can no longer afford to have this determination being made exclusively by the 
Executive Branch. 


I would like to begin by siunmarizing my concerns with the Administration's key 
escrow initiatives. 

Law enforcement and national security communications interceptions are vital 
functions of a modem government. I support these functions and encourage their 

But the sky will not fall if we do not have Clipper key escrow or if cryptographic 
export controls are relaxed to levels consistent with worldwide availability. Law en- 
forcement as we know it will not end if a few wiretaps encounter encrypted commu- 
nications. And the nation's ability to listen in to the communications of its adversar- 
ies will not end if some of those intercepts encounter increased use of crj^jtography. 

They had better not end, because both law enforcement wiretaps and national se- 
curity intercepts are going to encounter ever-increasing amounts of encrypted com- 
munications no matter what the Administration does or does not do. 

We must understand and accept the growing availability of cryptography world- 
wide as a basic fact of life. The ever-widening availability of cryptographic tech- 
nology in the U.S. and overseas will make it harder day by day to monitor the com- 
munications of our adversaries, no matter what measures the Administration may 
attempt to take. There are no magic solutions to this issue, which originates in the 
very same technological advances that we are all taking advantage of in our daily 

We must also understand that those same technological advances are creating 
greatly improved techniques for exhaustively checking the key space of cryp- 
tographic algorithms such as DES and for factoring large prime numbers. A design 
for a system that could exhaustively check the key space of DES in SVz hours was 
described at a public conference on cryptography last Summer. A group at Bellcore 
recently announced they had factored a 129 digit number, a new high. 

The concept put forward by some in government that if we do not have key escrow 
or if we allow export of DES products, all our intelligence operations will suddenly 
fail, is false. On the contrary. Key escrow will never be more than a small side show 
in the world of cryptography and DES cryptography will continue its rapid growth 
worldwide whether the US allows its export or not. Our government will be much 
better served by focusing on techniques to defeat known algorithms father than pro- 
moting new techniques Qiat are highly unpopular in the US and abroad. 


Since 1968, when the wiretap provisions of the Omnibus Crime Control and Safe 
Streets Act went into effect, we seem as a nation to have found a constructive bal- 
ance between the needs of law enforcement to intercept communications of sus- 
pected criminals and the desire of the public for the perception of privacy in its com- 
munications. The apparent successes tnat law enforcement has acnieved through le- 
gally authorized wiretaps against organized crime, coupled with the difficulties cited 
by law enforcement officials in obtaining them, and the steady rate of 800 or so per 
year over the past decade all indicate that we probably have achieved about as good 
a balance on this issue as we can ever get. 

But now technological advances threaten to upset this balance. The ready avail- 
ability of good quality cryptography in inexpensive phone devices threatens to make 
it easy for those criminals who recognize that they may be tapped to protect them- 
selves. The AT&T announcement in September 1992 of a relatively cheap Telephone 
Security device (TSD) that uses the Data Encryption Standard (DES) cryptographic 
algorithm to protect phone conversations apparently threw NSA and the FBI into 
high gear to find an alternative. 


And bring on clipper 

What emerged from this was the CUpper initiative, the goal of which is to give 
the American pubUc very good cryptography that could, if necessary, be readilv 
decrypted by authorized law enforcement officials. A firestorm of protests then fol- 
lowed from virtually all segments of the American public and many of our friends 
overseas that government-imposed key escrow is not something that they want. 

In the midst of the flood of protests over violations of civil liberties and infringe- 
ments of Bill of Rights that key escrow will cause and complaints about the use of 
a secret algorithm to protect unclassified information, several basic "laws" of the 
marketplace seem to have been overlooked. The Administration has never presented 
a "business plan" describing how Clipper will succeed in maintaining the abiUty of 
law enforcement to wiretap the phones of criminals. The lack of a fundamental un- 
derstanding of how things work in a competitive marketplace shows up conspicu- 
ously throughout this story. 

One of the first principles of business is to have your product ready for the market 
when the market is ready for it. In January 1993, following their September 1992 
announcement, AT&T began shipping TSDs with DES. But pressure from the gov- 
ernment apparently convinced AT&T to endorse the as yet unannounced CUpper 
program. So AT&T "loaned" the DES devices to their first customers with a promise 
that something 'Taetter" would be available in "April." And sxire enough, on April 
16, 1993, as the Administration announced CUpper, AT&T pledged its support. 

Unfortunately, CUpper chips were not ready. So AT&T cooled its heels waiting for 
something to seU. Finally, in August 1993, AT&T quietly introduced another TSD 
that uses proprietary cryptographic algorithms, thus creating a major competitor for 

In effect, we have come full circle. In September 1992, the initial AT&T announce- 
ment was perceived by the government as a major threat to law enforcement. In 
August 1993, while waiting for Clipper chips, AT&T introduced a similar product 
that must represent a similar threat. AT&T is now selUng both CUpper and non- 
CUpper TSDs in order to let the market decide which it wants. 

What is the market for clipper? 

In any business venture, it is important to understand the potential market for 
a product and to determine if one's market penetration will be sufficient to achieve 
one's goals. 

For it to maintain law enforcement's abiUty to wiretap, the Clipper initiative must 
achieve a reasonably high market penetration. The problem is that very few people 
today wiU want to buy a telephone security device, even if it costs $50 instead of 
over $1,000. Very few residential users wiU bother, and those who do wiU find few 
people to talk to. Businesses wiU buy telephone security devices for their executives 
to protect strategic business communications, but the vast bulk of routine business 
communications will go unprotected. 

Today there are estimated to be over 500 million phones in residential and busi- 
ness use in the U.S. When asked how many TSDs AT&T expected to sell, one esti- 
mate was at least as many as the popular STU-III secure phones for use with clas- 
sified information. There are approximately 250,000 STU-IIIs instaUed today. 

Numbers Uke these represent a very reasonable business case for AT&T, but will 
they allow the Clipper program to achieve its goal of solving the law enforcement 
wiretap problem? 

If the above estimates are correct, in a few years roughly five one-hundredths of 
one percent (0.05%) of America's phones wiU be protected by TSDs (250,000/ 
500,000,000). Of course many of these will use the proprietary algorithm rather 
than CUpper. But we wiU optimisticaUy assume that this percentage represents the 
situation with CUpper TSDs in five years. 

Now if one analyzes the average number of court-authorized wiretaps over the 
past fifteen years, one can reasonably conclude that 1,000 such wiretaps per year 
would be a reasonable projection for the near future. One could further assume that 
each court-ordered wiretap results in as many as five actual phone taps. This leads 
to an estimate of 5,000 physical wiretaps per year. A typical cost for a wiretap oper- 
ation not involving cryptography has been estimated at $50,000 to $60,000. 

In the Administration's proposed key escrow plan, there wiU be two key escrow 
centers, one at NIST and one at Treasury, that, when fully operational, wiU be 
available 24 hours a day, seven days a week, year round. These wiU each require 
a staff of at least ten people at a labor cost of $ 1.5M per year. The non-labor costs 
of each center wiU be another $ 1.5M leading to a total annual cost for both centers 

No estimate exists for how much it has cost to develop and promote the Clipper 
initiative. In a business analysis, it would be important to amortize these costs over 


the expected value of the "product," but for now all we have to use is the estimated 
cost of operating the centers. 

If Clipper TSDs represent 0.05% of the phones in America and there are 5,000 
taps per year, then law enforcement officials can reasonably expect to encounter on 
average 2.5 Clipper key-escrowed phone taps per year, or one every 145 days. If the 
cost of the key escrow center operations is amortized over 2.5 calls per year, each 
key-escrowed wiretap will cost $2.45M ($50 K for wiretap and 2.4M for escrow cen- 
ter expenses). At $1,000 per TSD, 250,000 will cost the consumer $250M. 

But suppose the STU-III equivalent estimate is far too conservative for sales of 
TSDs. If sales are 2.5 million devices (0.5% of all phones), this will lead to intercep- 
tion of approximately 25 key-escrowed phone calls per year, about one every fifteen 
days. If the key escrow centers' costs are amortized over 25 calls per year, each key- 
escrowed wiretap will cost $290,000 ($50 K for wiretap and $240K for escrow center 
expenses). If TSD prices fall in an expanded market to $500 per TSD, 2.5M devices 
will cost the consumer $1.25B. 

If the demand for TSDs is truly enormous, reaching 5% of all phones in the U.S., 
one could expect about one key-escrowed wiretap every day and a half. In this case, 
the cost of a key-escrowed wiretap will rise to $74,000 ($50 K for wiretap and 
$24,000 for escrow center expenses). Only in this last case does any form of cost 
benefit tradeoff for the cost of a wiretap make sense. Even if prices were to fall to 
$100 per TSD, 25M will cost the consumer $2.5B. 

Number of Clipper 




Telephone Security 


Percent of U.S. phones: 




Number of Key Escrow 





One call to key escrow 

145 days 

15 days 

1.5 days 

center every: 

Cost per escrowed key 





This scenario assumes that the population of phones likely to be tapped is roughly 
the same as that of the general popiilation. Unfortunately, this is unlikely to be true 
since, on one hand, the average criminal who doesn't realize he is Ukely to be tapped 
is unlikely to bother with any form of TSDs and so can be wiretapped using conven- 
tional means and, on the other hand, the "sophisticated" criminal, who understands 
what he may be up against, will almost certainly buy non-key escrowed TSDs. 
Under these circvimstances, 2.5 key-escrowed calls per year is probably very optimis- 

Now there are those who say. If only one of those calls is a World Trade Center 
bomb plot, it will all be worth it!" But the World Trade Center bombers went back 
for a deposit on the rental truck they blew up. If they are the types we are up 
against, they will not have enough sense to use a TSD. And as pointed out above, 
the sophisticated criminal will surely know enough to not buy a key-escrowed TSD. 

A contradictory story has also been put forth that claims that the Administration 
never intended to catch criminals using key escrow. In this version, the intent was 
to introduce cryptographic capabilities that are substantially better than what is 
available now and to include key escrow to deny their use to criminals. If this is 
the "real" reason for Clipper, then the Administration must understand that they 
wll never get any wiretap calls for key escrow. If so, one must anticipate that the 
extensive protections now being planned for the escrowed keys will diminish over 
time from disuse. If this happens, all those who bought the "stronger" encryption 
capability will then become viilnerable to trivial decryption. 

The Administration has stated that its plan is to buy enough TSDs to flood the 
market, thus making them so cheap that everyone will buy them. Their plan for 
"flooding" the market is to buy 9,000 devices using funds confiscated from criminals. 
Such a purchase wiU have little effect either in achieving the installed base nec- 
essary for key escrow to work properly or in reducing the price to a level where the 
devices are pervasive. 

Even if every factor in this analysis is slanted in favor of Clipper, it is difficult 
to see how this program is going to help law enforcement maintain its ability to 
wiretap criminals. Clipper is an expensive program for both the government and the 
consimier that shows little if any promise of achieving its goal. 


International aspects of key escrow 

The Administration has stated that Clipper systems with key escrow will be ex- 
portable. The question remaining to be answered is will anyone outside the U.S. be 
interested. In July 1992, NSA agreed that certain encryption algorithms that were 
limited to 40-bit key lengths could be exportable. But 40-bit key lengths are so weak 
that no one inside or outside the U.S. would want them. It is clear that foreign gov- 
ernments may want key escrow systems to allow them to monitor communications, 
but their citizens will generally share the concerns of most Americans. 

It may be possible for governments to work out bilateral agreements to share 
escrowed keys (though little progress has been reported to date), but this will do 
nothing for \he growing need of multinational companies to communicate with oth- 
ers across international boundaries. The international aspects of key escrow remain 
a thorny problem, which will defy solution for a long time. 

The capstone tessera program 

Apparently when AT&T announced its DES TSD in late 1992, NSA had already 
been working on a program called Capstone which was to provide good quality cryp- 
tography and key escrow for computer communications. Applying these techniques 
to telephones required only a stripped down Capstone, which came to be called Clip- 

Capstone is a key ingredient in a program to provide information security for the 
Defense Message System and other programs within the Department of Defense. It 
is also being pushed for a wide variety of other programs within the government 
including the IRS, Social Security, and even Congressional systems. 

Provimng good cryptographic protection in a computer communications environ- 
ment is much more difficult than in a telephone context. The ease with which a user 
can manipulate his or her text either before passing it to the Capstone process or 
after it has been encrypted makes it very difficult to ensure the effectiveness of the 
result. Also, the technologies involved in the present implementations of the Skip- 
jack algorithm, while sufficient for telephone and low speed computer communica- 
tions, will not easily scale to meet the needs of high speed computer communica- 

Because it uses a secret algorithm, Capstone and the oroducts that use it will onlv 
be available in hardware implementations such as the NSA Tessera PCMCIA card. 
It has been suggested that if the interfaces that Tessera uses could be genereilized 
so that other cryptographic algorithms could be implemented in compatible pack- 
ages, the Tessera program could have a much greater market penetration. 

The Government has stated that Tessera will be exportable. If such common cryp- 
tographic interfaces existed, mass market software vendors who support Tessera 
covild integrate cryptographic functions into their applications without concern for 
export controls on their products and vendors withan individual countries could 
build Tessera equivalent PCMCIA cards using alternative cryptographic algorithms. 
Such a development would provide a fundamental increase in the market for cryp- 
tographic products and thus increase the chances for market penetration of products 
such as Tessera. At this time, it is unclear whether NSA will choose to generalize 
the Tessera interfaces to allow cards with other algorithms to coexist. 

Strengths of clipper 

I am convinced that Skipjack, the cryptographic algorithm in Clipper, is a very 
good algorithm. I also believe that procedures can be developed for protecting 
escrowed keys that will provide reasonable assurance that the keys will not be com- 
promised under normal circumstances. I have known many of the people at NIST 
and NSA who have worked on this program for many years. I believe they are hon- 
est, well-intentioned people who are doing the best job they can to protect the inter- 
ests of the law enforcement and national security communities. 

My concerns are not with the strengths of this program or the integrity of the 
people who have put it together but with whether there is any practical chance that 
it will achieve its goals and whether the American people are ready for key escrow. 

What should Congress do? 

For any form of key escrow system to work, it must have the confidence of the 
American people. The Administration claims that it does not need legislation to im- 
pose key escrow, that it is operating entirely within the provisions of the wiretap 
statutes. This may be legally correct, but we should take lessons from the past on 
how to convince people to accept ideas that do not immediately seem to be in their 
best interests. 

At least once before in modem times, the government was faced with convincing 
the American public to allow something that did not seem in the best interests of 


the average citizen, that is, to allow the government to wiretap phones. But in 1968, 
Congress passed and the President signed a law that established a balance on the 
wiretap issue that appears reasonable to most of us. 

If key escrow is the vital answer to encrypted wiretaps as the Administration 
claims, we should follow the same process we md for authorizing wiretaps: 

(1) Congressional debate, 

(2) Passage of legislation, 

(3) Presidential signature, and 

(4) Judicial review. 

This full process is necessary before the American people will accept key escrow. 
The only excuse for not doing this seems to be that the process will take too long. 
But the reaction to date incScates that by not taking the time for the legislative 
process, the Clipper program will be little more than a program the government im- 
poses on itself. 

I strongly recommend that the Administration propose legislation that would give 
key escrow the same legal standing as court-ordered wiretaps. If the Administration 
does not take this action soon, I believe the Congress should act on its owti to review 
this concept and determine if key-escrowed communications should be imposed on 
the American people. 


Key escrow is not the only instance in which the Administration has focused al- 
most exclusively on the law enforcement and national security side of an important 
issue. In almost total contrast to the haste with which the Clipper initiative has pro- 
ceeded, the government's efforts over the past decade to establish a digital signature 
standard, an essential tool in any form of electronic commerce, have failed miser- 
ably. The background of this incredible failiu"e should be very embarrassing to some- 
one, but it appears there are so many participants that no one needs to take the 

According to a recent GAO report, this odyssey began in the early 1980s when 
the National Bureau of Standards (NBS, now NIST) sought a public key encryption 
standard to complement the DES. No progress was made even though nearly every- 
one acknowledged the essential need for such a capability and that the technology 
necessary for it already existed in the RSA public key encryption algorithm among 

In the 1988 hearings on the progress of the Computer Security Act, the Directors 
of NSA and NBS were pressvu"ed to get on with establishing a public key encryption 
standard. In the recently released, highly censored proceedings of the joint NSA- 
NBS Technical Working Group, the tortuous deliberations toward a DSS are evi- 
dent. Despite the ready availability of technology such as RSA, which could have 
provided a DSS as early as 1982, the government persisted in seeking an alternative 
with limited capabilities. 

In the House Subcommittee on Science hearing on Internet Security, March 22, 
1994, Mr. Lynn McNulty, Associate Director of the NIST National Computer Sys- 
tems Laboratory, testified that: 

* * * our strategy ♦ * * was to develop encryption technologies that did 
not do damage to the national security or law enforcement capabilities of 
this country. And our objective in developing the digital signature standard 
was to come out with a technology that did signatures and nothing else 
very well. It could not be used for either encrjrption or to provide key man- 
agement or key distribution techniques for other symmetric encryption 

With these constraints, the government placed itself in a very difficult situation 
that it has proceeded to make very much worse with time. 

In August 1991, after considering at least four alternatives, NIST finally an- 
nounced with much fanfare the selection of the Digital Signature Algorithm (DSA) 
for the DSS. NIST stated that this algorithm, patented by an NSA employee, would 
be royalty-free to all parties, an attractive offer since the use of RSA or other public 
key alternatives would require royalty pasonents to RSA Data Security, Inc., or Pub- 
Uc Key Partners (PKP). A royalty-free signature algorithm was sufficiently attrac- 
tive that many felt DSA could succeed against the already popular RSA algorithm. 

The initial public comment period on the DSS selection brought mostly technical 
comments on the algorithm itself. Following this there was a long silent period dur- 
ing which NIST's only comment was that the lawyers were working on patent is- 


sues. It seems there was a German, Professor Doctor C.P. Schnorr, who had a U.S. 
patent that he claimed was infringed upon by the DSA. NIST visited Professor Doc- 
tor Schnorr seeking to work out the patent issues. Apparently PKP did also, because 
in early 1993, PKP told the government that they now had the rights to Professor 
Doctor Schnorr's patent and that use of DSA by the government would infringe 
upon their patent rights. 

In order to resolve this problem, NIST announced in June 1993 that they in- 
tended to give PKP an exclusive license to the DSA. The U.S. Government would 
have free use of DSA, but everyone else, including foreign governments, would have 
to pay royalties to PKP. This situation was very different from the August 1991 pro- 
posal. Now the only advantage of DSA over its well-established rival RSA was gone. 
The government wanted DSA because it could not be easily used for functions other 
than digital signature. But the public and other governments could no longer per- 
ceive any advantage to DSA. 

The public comments, including several from foreign governments, on this NIST 
licensing proposal were overwhelmingly negative. Again the government's lack of 
any sense of the impact of this on the marketplace was apparent. Another long pe- 
riod of silence by the government extended from late summer 1993 until early 1994. 

Then on February 4, 1994, as part of the Clipper approval announcement, NIST 
stated that the exclusive licensing of DSA to PKP would not take place, and it was 
the government's intention that the DSA would be available to anyone free of royal- 
ties. When asked what the government would do now to make this possible, the re- 
sponse was they would either (1) continue trying to negotiate a desd with PKP, (2) 
take the process to courts to prove that DSA did not infringe upon PKP's patents, 
or (3) develop a new algorithm. There was, of course, no timetable for resolving 
these alternatives. 

So now we are no better off than we were in mid-1991 or perhaps even 1982. But 
today there are major commerciad activities that are using RSA as the basis for digi- 
tal signatures and there are major government programs, such as the IRS mod- 
ernization effort, that must have a digital signature capability to succeed. NISTs 
present advice to government programs in need of a digital signature capability is 
to do whatever they want. 

Recalling Mr. McNulty's testimony from above, we have another example of the 
government's insistence that law enforcement and national security interests totally 
dominate those of the public and civilian government. The result is that a capability 
that could have been available as a government standard in 1982 and is now a 
defacto commercial world standard has been held back for twelve years, and there 
remains no real prospect for when this issue will be resolved. 

What should Congress do? 

Unfortunately, in this case it is difficult to suggest what the Congress can do. 

It would be unusual but not out of the realm of possibilities for the Congress to 
mandate the use of an existing industry standard for digital signatures for all gov- 
ernment programs involving electronic commerce. The cleeir failure of the Executive 
Branch to find a suitable alternative after twelve years of searching and the urgent 
needs of government and commercial interests to have a readily available means for 
signing electronic documents would justify such a step by the CTongress. 


And there are other examples of how the government's dominant concern for na- 
tional security and law enforcement capabilities has driven the U.S. down paths 
that harm our national economic interests. 

Since the publication of the DES as a U.S. Federal Information Processing Stand- 
ard (FIPS) in 1977, cryptography has shifted from the exclusive domain of govern- 
ments to that of individuals and businesses. DES in both hardware and software 
implementations is a defacto international standard against which all other cryp- 
tographic algorithms are measured. 

The controversy that arose as soon as DES was published concerning whether it 
had weaknesses that intelligence organizations could exploit fostered the highly 
fruitful academic research into public key cryptography in the late 1970s. Public key 
algorithms have the major advantage that the sender does not need to have estab- 
lished a previous secret key with the recipient for communications to begin. Public 
key algorithms, such as RSA, have become as populair and widely used as DES 
throughout the world for integrity, confidentiality, and key management. 

Software publishers association study 

The Administration has asserted that export controls are not harming U.S. eco- 
nomic interests because there are no foreign cryptographic products and programs 


commercially available. Implementations of DES, RSA, and newer algorithms, such 
as the International Data Encryption Algorithm (IDEA), are available routinely on 
the Internet from sites all over the world. But according to the Administration, 
these do not count as commercial products. 

In order to understand just how widespread cryptography is in ths world, in May 
of 1993, the Software Publishers Association (SPA) commissioned a study of prod- 
ucts employing crpytography within and outside the U.S. There was a significant 
amount of knowledge about specific products here and there, but no one had ever 
tried to assemble a comprehensive database with, where possible, verification of 
product availability. I reported the results of this survey in hearings before the Sub- 
committee on Economic Policy, Trade and Environment, Committee on Foreign Af- 
fairs, U.S. House of Representatives last October. 

Information on new products continues to flow in daily. As of today: 

• We have identified 340 foreign hardware, software, and combination products 
for text, file, and data encryption from 22 foreign countries: Argentina, Aus- 
tralia, Belgium, Canada, Denmark, Finland, France, Germany, Hong Kong, 
India, Ireland, Israel, Japan, the Netherlands, New ZeaJand, Norway, Russia, 
South Africa, Spain, Sweden, Switzerland, and the United Kingdom. 

• Of these, 155 employ DES either in hardware of software. 

• We have confirmed the availability of 70 foreign encrjrption software programs 
and kits that employ the DES algorithm. These are puolished by companies in 
Australia, Belgium, Canada, Denmark, Finland, Germany, Israel, the Nether- 
lands, Russia, Sweden, Switzerland, and the United Kingdom. 

• Some of these companies have distributors throughout the world, including in 
the U.S. One German company has distributors in 14 countries. One U.K com- 
pany has distributors in at least 13 countries. 

• The programs for these DES software products are installed by the users insert- 
ing a floppy diskette; the kits enable encryption capabilities to be easily pro- 
grammed into a variety of applications. 

A complete listing of all confirmed products in the database is identified in At- 
tachment 1. 

As part of this survey, we have ordered and taken delivery on products containing 
DES software from the following countries: Australia, Denmark, Finland, Germany, 
Israel, Russia, and the United Kingdom. 

Foreign customers increasingly recognize and are responding to the need to pro- 
vide software-only encryption solutions. Although the foreign encryption market is 
still heavily weighted towards encr3rption hardware and hardware/soitware combina- 
tions, the market trend is towards software for reasons of cost, convenience, and 

• On the domestic front, we have identified 423 products, of which 245 employ 
DES. Thus, at least 245 products are unable to be exported, except in very lim- 
ited circumstances, to compete with the many available foreign products. 

• In total, we have identified to date 763 crj^jtographic products, developed or dis- 
tributed by a total of 366 companies (211 foreign, 155 domestic) in at least 33 

DES is also widely available on the Internet, and the recently popularized Pretty 
Ciood Privacy encryption software program, which implements the IDEA encryption 
algorithm, also is widely available throughout the world. 

The ineffectiveness of export controls is also evident in their inability to stop the 
spread of technology through piracy. The software industry has a multibillion dollar 
worldwide problem with software piracy. Mass market software is easy to duplicate 
and easy to ship via modem, suitcase, laptop, etc. Accordingly, domestic software 
products with encryption are easily available for export — through illegal but perva- 
sive software piracy — to anyone who desires them. 

Foreign customers who need data security now turn to foreign rather than U.S. 
sources to fulfill that need. As a result, the U.S. Government is succeeding only in 
crippling a vital American industry's exporting ability. 

Frequently heard arguments 

There are a series of arguments frequently heard to justify continued export con- 
trol of cryptographic products. 

The first argument is that such products are not available outside the U.S., so 
U.S. software and hardware developers are not hurt by export controls. 

The statistics from the SPA survey prove that this argument is false! 


A second argument is that even if products are available, they cannot be pur- 
chased worldwide. 

Our experience with purchasing products indicates that this also is not true. 
We have found 462 companies in 33 foreign countries and the U.S. that are 
manufacturing, marketing, and/or distributing cryptographic products, most on 
a worldwide basis. The names of these companies are listed in Attachment 2. 

All the products we ordered were shipped to us in the U.S. within a few days. 
The German products were sent to us directly from their U.S. distributors in 
Virginia and Connecticut, respectively. Our experience has been that if there is 
paperwork required by the governments in which these companies operate to 
approve cryptographic exports, it is minimal and results in essentially mime- 
diate approval for shipping to friendly countries. 

A third argument frequently heard is that the products sold in other parts of the 
world are inferior to those available in the U.S. 

We have purchased products from several sources throughout the world. We or- 
dered DES-based PC file encryption programs for shipment using routine channels 

• Algorithmic Research Limited (ARL), Israel 

• Sophos Ltd., UK 

• Cryptomathic A/S, Denmark 

• CEInfosys GmbH, Germany 

• uti-maco, Germany 

• Elias Ltd., Russia (distributed through EngRus Software International, UK) 

The products we obtained from these manufactiu-ers and distributors were in 
every case first-rate implementations of DES. To better understand if foreign prod- 
ucts are somehow inferior, we have examined several of these products to see if we 
can detect flaws or inherent weaknesses. 

What we have found in our limited examination is that while these products gen- 
erally use fully compliant DES implementations, they sometimes do not make use 
of all the facilities that might be available to them. The result is a full-strength DES 
product that is fully adequate for protecting commercial sensitive information but 
would not meet the strict requirements of a full national security product review. 

Two examples of facilities that these products do not fully utilize are: 

• Initialization Vector (IV) (data added to the beginning of text to be encrypted 
to ensure synchronization with the decryption process). Frequently, these sim- 
ple file encryption products use the same IV everytime. A product designed for 
protecting national security information would vary the IV each time. 

• Key Generation: Frequently, these products use an encryption key derived from 
a string of text that is typed in by the user. Users mav tend to use the same 
simple alphanumeric text strings to encrypt multiple files. A product designed 
for protecting national security information would generate a truly random 
encrjrption key, usually with each use. 

It is important to note that there appears to be no difference between foreign and 
U.S. commercial products in the use of these simplifications. 

A fourth frequently heard argument is that many countries have import restric- 
tions that would prevent U.S. exports even if the U.S. relaxed its export controls. 

While our surveys has focused on the ease of importing products into the U.S., 
we have noted that many of the companies in our survey have distributors through- 
out the world. There may be countries that restrict imports of cryptography just as 
there may be those that restrict internal use of cryptography. But we are unaware 
of any countries in this category. 

Other countries have relaxed export controls 

Our survey results also point to a much more ominous finding! Apparently the 
controls imposed by the U.S. Government on export of cryptographic products from 
the U.S. are far more restrictive than those imposed by most other countries, includ- 
ing our major allies. The effect of this most unfortunate situation is to cripple U.S. 
industry while our friends overseas appear to be free to export as they wish. 

The U.S. imposes very strict rules on the export of cryptographic products. In gen- 
eral, applications for the export of products that use DES will be denied even to 
friendly countries unless they are for financial uses or for U.S. subsidiaries. We 
have been told repeatedly by the U.S. Government that other countries such as the 
United Kingdom and Germany have the same export restrictions that the U.S. does. 


But our experiences with the actual purchases of cryptographic products show a 
very different picture. 

We know that companies in Australia, Denmark, Germany, Israel, South Africa, 
Sweden, Switzerland, and the United Kingdom are freely shipping DES products to 
the U.S. and presumably elsewhere in the world with no more then a lew days of 
government export control delay, if any. Sometimes the claim is that they have to 
fill out some papers," but it's no big problem. In Australia, we are told, the export- 
ing company must get a certificate mat the destination country does not repress its 
citizens. Many countries allow shipment so long as it is not to former CoCom re- 
stricted countries (the former Soviet block and countries that support terrorism). 

Our experience with these purchases has demonstrated conclusively that U.S. 
business is at a severe disadvantage in attempting to sell products to the world 
market. If our competitors overseas can routinely snip to most places in the world 
within days and we must go though time-consuming and onerous procedures with 
the most likely outcome being denial of the export request, we might as well not 
even try. And that is exactly what many U.S. companies have decided. 

And please be certain to understand that we are not talking about a few isolated 
products involving encrjT)tion. More and more we are talking about major informa- 
tion processing applications like word processors, databases, electronic mail pack- 
ages, and integrated software systems that must use cryptography to provide even 
the most basic level of security being demanded by multinational companies. 

Demonstrations of available cryptograph ic products 

We have before us today several examples of cryptographic products that were 
lawfully obtained in the United States from foreign vendors: 

• AR DISKrete: produced by Algorithmic Research Limited (ARL), Israel. Uses 
DES disk/file encryption to provide PC security and access control. 

• EDS: produced by Sophos Ltd., UK. DES-based PC file encryption package. 

• F2F (File-to-File): produced by Cryptomathic A/S, Denmark. DES-based PC file 
encryption utility. 

• Soflcrypt: produced by CElnfosys GmbH, Germany. DES-based PC file 
encryption utility. 

• SAFE-GUARD Easy: produced by uti-maco, Germany. DES-based PC file 
encryption utility. 

• EXCELLENCE for DOS: produced by EUas Ltd., Russia; distributed through 
EngRus Software International, UK. GOST-based (Russian DES equivalent) PC 
file encryption utility. 

In addition to these products, we have the complete set of notebooks of product 
literature we have gathered to confirm the information in our worldwide survey of 
cryptographic products. 

We also have a demonstration of the power of the digital revolution and the im- 
pact it will have on all our communications in the future. Traditionally, when we 
think of voice communications, we think of the telephone in its many forms (desk, 
cordless, cellular, car). However, many modem computer workstations now have the 
ability to carry voice as well as other multimedia communications. Routinely today 
on the Internet, voice conferences are held over packet switched communications 

Today we have a demonstration using two off-the-shelf Apple Macintosh 
PowerBooks that come with both speakers and microphones that enable software 
programs such as Talker from 2 Way Computing, Inc., of San Diego, CA, to trans- 
form a laptop computer into a telephone. 

With this laptop computer telephone, it is easy to protect phone conversations 
from eavesdroppers. Since all the telephone functions are performed in software, it 
is trivial to add an encryption algorithm, such as the DES, to the software and pro- 
vide good quality encryption to the digitized speech. 

Export control of information in the public domain 

The U.S. International Trade in Arms Regulations (ITAR) govern what products 
can and cannot be subjected to export controls. These regulations clearly define a 
set of conditions in which information considered to be in the "pubUc domain" can 
not be subject to controls. In the ITAR itself; public domain is defined as informa- 
tion that is published and that is generally accessible or available to the public: 

• Through sales at bookstores, 

• At libraries, 

• Through patents available at the patent office, and 


• Through public release in any form after approval by the cognizant U.S. Gov- 
ernment department or agency. 

The Data Encryption Standard has been openly published as a Federal Informa- 
tion Processing Standard by the U.S. Government since 1977. Implementations of 
it in hardware and software are routinely available in the U.S. and throughout the 
world. Publication of software programs containing DES in paper form are per- 
mitted because of the First Amendment in the Bill of Rights. But the export of DES 
as hardware or software remains subject to export control despite its clearly being 
in the pubUc domain. 

One frustrating and somewhat humorous result of this situation occurred recently 
when NIST published a FIPS that contained source code for DES. In paper form, 
the Automated Password Generation Standard, FIPS 181, is acceptable for world- 
wide dissemination. But when NIST made the FIPS available over the Internet 
without an export restriction notice, it was immediately copied by computers in Den- 
mark, the UK, and Taiwan. When it was pointed out that NISTs actions were in 
apparent violation of the ITARs, they quickly moved the file to a new directory with 
an appropriate export prohibition notice. Now FIPS 181 is available from hosts 
throiighout the world along with the notice that export from the U.S. is in violation 
of U.S. export control laws. 

NIST "exported" source code for DES with apparent immunity. Phil Zimmerman 
is still being investigated by the U.S. government and facing a four year imprison- 
ment for aUedgedly doing nothing more. 

Unfortunately, U.S. companies are not allowed to treat the export of DES in quite 
so simple a manner. As discussed earlier, DES is routinely available anywhere in 
the world. It meets the definition of "in the public domain" on numerous levels. And 
yet U.S. companies are prevented from exporting it other than to Canada. This situ- 
ation is yet another example of the inconsistencies of U.S. export control policies. 

Industrywide experiences 

Some companies do try to compete and offer excellent DES-based products in the 
U.S. But because of the export restrictions, they must develop weaker versions for 
export if they wish to pursue foreign markets. Many companies forgo the business 
rather than spend extra money to develop another inferior product that cannot com- 
pete with products widely available in the market. 

The government already has a measure of lost sales and dissatisfied customers 
in the number of State Department/NSA export license apphcations denied, modi- 
fied, or withdrawn. However, it is impossible to estimate accurately the full extent 
of lost sales. Many potential customers know that U.S. companies cannot meet their 
demand and thus no longer require. Conversely, most major companies have given 
up even trying to get export approvals for DES to meet customer demand. 

One U.S. company. Semaphore Communications Corporation, that makes products 
using DES encryption has provided the following comments on their recent experi- 
ences (quoted from a letter dated 4/20/94 to Stephen T. Walker from WiUiam Fer- 
guson of Semaphore): 

As a small company with limited resources, we have chosen to get an as- 
sessment directly from the NSA prior to investing too many resources in 
pursuing the situations, as the NSA Export Office is the ultimate authority 
on whetner any export license will be granted; or the U.S. companies with 
familiarity of the export regulations have advised us of their position before 
we invested too many resources. 

The recent short-list of opportunities include: 

1. NATO: order placed by SHAPE Technical Centre in 11/93 as precursor of NATO- 
wide security plan; ore-order query to State Dept. gave verbal approval as ship- 
ment was to an AP(J address: on submitting license application, NSA denied per- 
mission to ship. NATO officials are currently trying to get permission from NSA, 
but have thus far been denied. 

2. Hong Kong Immigration Department: project to secure network communications 
for all department sites with fully redundant scheme: sought ruUng before bidding 
in partnership with AT&T; demed 4/93. All competitors bid Racal; as a British 
company they had no restrictions. 

3. Norway Telecom: planning secure network for government and financial users 
using single solution: sought ruling before bidding; told use sounded too general 
and export office would have difficulty approving. 10/93. 

4. Dutch National Police computer network: application to secure entire national 
data network: advised would not be granted permission when seeking pre-bid nil- 


ing, 11/93. Attempted to have our application viewed in same context as open li- 
cense granted to DEC and IBM for similar equipment, but advised would need 
letters from all Dutch government agency department head? for any consider- 
ation. This effort would have reauired more than three months of effort by com- 
pany executive located in Holland. Deemed too expensive for only one project. 

5. Michelin: seeking solution to secure global network including all US-based, ex- 
Firestone facilities: when advised of export restrictions, Michelin rejected US- 
based technology to seek other solution; 4/93. 

6. Volkswagen: in planning of security strategy for global networks; solicited bid: 
rejected US-based technology when informed of export regulations, 2/93. 

7. Boeing: one of largest global users of secure communications: advised Boeing 
didn't want to have to deal with export regulations for meeting needs: continues 
to buy Racal products to avoid U.S. regulations. Continue to try to sell, but have 
met with resistance for procurements 10/92. 4/93, 11/93. Volume would be very 
high as Boeing took delivery of 800 routers in 1993, and our equipment would 
have 1:1 relationship. Boeing now in another review cycle. 

8. GE: has major program in planning to secure global networks: diverse ownership 
in many locations has GE seeking foreign solutions for global uniformity. 

9. Swiss National Justice and Police Department: project to connect all police and 
court locations in country: advised by NSA that approval would be hard to justify 
based on fact that it was Switzerland, 4/94. 

10. Thomsen CSF: seeking technology partner for next generation of Thomsen prod- 
ucts: sought out Semaphore as Thomsen technology group finds our technology to 
be far ahead of any other global options, and wanted to have fast time-to-market: 
NSA suggested we discontinue further discussions, 4/94. 

1 I.Sikorsky: advised permission would not be granted for equipment at foreign 
joint-venture partners for new commercial helicopter venture, 3/94. Revisited with 
another NSA export official in 4/94, and advised that license might be granted if 
use was to principal benefit of a USA company. No firm commitment until license 
application is submitted as one location is in Japan. 

12. Glaxo Pharmaceutical; world's largest pharmaceutical company has global re- 
quirement to secure testing and development data: will seek other solutions as 
Semaphore cannot deliver to other global locations, 2/94. 

13. Pillsbury: has strategy to secure global networks: as owned by UK-based Grand 
Metropolitan, will seek other solutions which can be shipped to all global loca- 
tions, 11793. 

The total value for all of these opportunities are estimated to be in the range of 
$30 to $50 million based on the preliminary estimates of the projects. 

You have Semaphore's permission to submit this information with your testimony 
before the Congress. 

Gauging the extent of economic harm industrywide is what is an inherently dif- 
ficult task because most companies do not want to reveal that sort of information. 
Consequently what exists, with the exception of statements hke that from Sema- 
phore, is mostly anecdotal information. But the accumulation of anecdotal informa- 
tion collected by the SPA paints a picture of three ways in which tiie export controls 
on cryptographic products are hurting American high-tech industry. 

(1) Loss of business directly related to cryptographic products: First, for many 
data security companies, every sale is vital, and the loss of contracts smaller than 
$1 million can often mean the difference between life and death for these companies. 
The confusion and uncertainty associated with export controls on encryption gen- 
erate severe problems for small firms, but not as severe as the loss of business they 
suffer from anti-competitive export controls. Examples abound: 

• One U.S. company reported loss of revenues equal to a third of its current total 
revenues because export controls on DES-based encryption closed off a market 
when its customer, a foreign government, privatized the function for which the 
encrjnption was used, and the U.S. company was not permitted to sell to the pri- 
vate foreign firm. The company estimates it loses millions of dollars a year be- 
cause it receives substantial orders every month from various European cus- 
tomers but cannot fill them because of export controls. 

• One small firm could not sell to a European company because that company 
sold to clients other than financial institutions (for which export controls grant 
an exception). Later, the software firm received reports of sales of pirated copies 
of its software. This constituted the loss of a $400,000 contract for the small 
U.S. software firm. 


• Because of existing export restrictions, an American company recently found it- 
self unable to export a mass market software program that provided encryption 
using Canadian technology based on a Japanese algorithm. Yet other European 
and Japanese companies are selling competing products worldwide using the 
same Canadian technology. 

• An SPA member's product manager in Europe reported the likely loss of at least 
50% of its business among European financial institutions, defense industries, 
telecommunications companies, and government agencies if present restrictions 
on key size are not lifted. 

• Yet another SPA member company reported the potential loss of a substantial 
portion of its international business if it cannot commit to provide DES in its 

• A German firm that opened a subsidiary in the U.S. sought a single source 
encryption software product for both its German and U.S. sites. A U.S. data se- 
curity firm that bid for the contract lost the business because U.S. export con- 
trols required that the German firm would have to wait approximately six 
months while a license was processed to sell them software with encryption for 
foreign appUcation. The license could only be for one to three years, the three 
year license being more expensive. Consequently, the German firm ended up 
purchasing a DES-based system from another Cferman company, and the U.S. 
firm lost the business. 

• A foreign government selected one soft;ware company's data security product as 
that government's security standard. The company's application to export the 
DES version was denied, and as a consequence the order was lost. This cost the 
company a $400,000 order and untold millions in future business. 

(2) Loss of business from U.S. companies with international concerns: Second, 
multinational corporations (MNCs) are a prime source of business in the expanding 
international market for encryption products. Many U.S. -based firms have foreign 
subsidiaries or operations that do not meet export requirements. While U.S. prod- 
ucts may be competitive in the U.S., many MNCs obtain from foreign sources 
encryption systems that will be compatible with the company's worldwide oper- 
ations. Moreover, foreign MNCs cannot rely on the availability of U.S. products and 
have been known to import foreign cryptography for use in their U.S. operations. 

• One U.S. firm reports the loss of business from foreign MNCs that will not inte- 
grate the company's products into their U.S. operations because of the export 
restrictions that would prevent them from being compatible with their domestic 

• The Computer Business Equipment Manufacturers Association reports that one 
of its members was denied an export license and lost a $60 million sale of net- 
work controllers and software for encryption of financial transactions when the 
Western European customer could not ensure that encryption would be limited 
to financial transactions. 

(3) Loss of business where cryptography is part of a system: Third, encryption sys- 
tems are frequently sold as a component of a larger system. These "leveraged" sales 
offer encryption as a vital component of a broad system. Yet the encryption feature 
is the primary feature for determining exportability. Because of the export restric- 
tions, U.S. firms are losing the business not just for the encryption product but for 
the entire system because of the restrictions on one component of it. 

• One data security firm has estimated that export restrictions constrain its mar- 
ket opportunities by two-thirds. Despite its superior system, it has been unable 
to respond to requests fi*om NATO, the Swedish PTT, and British telecommuni- 
cations companies because it cannot export the encryption they demand. This 
has cost the company millions in foregone business. 

• One major computer company lost two sales in Western Europe within the last 
12 months totaling approximately $80 million because the file and data 
encrjT)tion in the integrated system was not exportable. 

One possible solution to the problem of export controls may be for U.S. companies 
to relocate overseas. Some U.S. firms have considered moving their operations over- 
seas and developing their technology there to avoid U.S. export restrictions. Thus, 
when a U.S. company with technology that is clearly in demand is kept from export- 
ing that technology, it may be forced to export jobs instead. 


How are U.S. citizens and businesses being affected by all this? 

The answer to this question is painfully simple. When U.S. industry forgoes the 
opportunity to produce products that integrate good security practices, such as crjrp- 
tography, into their products because they cannot export those products to their 
overseas markets, U.S. users (individuals, companies, and government agencies) are 
denied access to the basic tools they need to protect their own sensitive information. 

The U.S. Government does not have the authority to regulate the use of cryptog- 
raphy within this country. But if through strict control of exports they can deter 
industry from building products that effectively employ cryptography, then they 
have achieved a very effective form of internal use control. You and I do not have 
good cryptography available to us in the word processors and data base manage- 
ment and spreadsheet systems even though there is no law against our use of cryp- 
tography. If we want to encrjrpt our sensitive information, we must search out spe- 
cial products that usually must be used separately from oiu" main workstation appli- 
cations. This is a very effective form of internal use control, and it makes all levels 
of U.S. industry vulnerable to foreign and domestic industrial espionage. 

And Clipper, as presently being implemented, does nothing to help this problem. 

What should Congress do? 

In this case, Congress is already doing something! Last November, Representative 
Maria Cantwell introduced HR 3627, a bill that would shift export control of mass 
market software products including those with cryptography, for the Department of 
State to the Department of Commerce, thus allowing them to be treated as normal 
commodities instead of munitions. This bill should be considered as part of Chair- 
man Gejdenson's overall bill to reform export controls. In the Senate, the Murray- 
Bennett initiative, S 1846, to reform export controls has a similar objective. 

Legislation such as HR 3627 and S 1846 must be passed as soon as possible to 
balance the national economic interests against those of law enforcement and na- 
tional security. 


On clipper key escrow 

In addition to all the concerns about civil liberties and the use of classified cryp- 
tography to protect unclassified information, there are very real concerns about 
whether Clipper will really help law enforcement deal with the emergence of 
encrypted phone and data traffic. The Administration needs to come forth with some 
form of business plan for how it expects this program to succeed in the marketplace. 

The imposition of a technology as potentially invasive of Americans' right to pri- 
vacy should not occiu* merely by executive edict but rather as the result of careful 
consideration and passage of legislation by the Congress and by being signed into 
law by the President and determined to be Constitutional by the Supreme Coxul. 
Only when this has been completed will most Americans accept key escrow. Only 
then will Clipper key escrow have a chance of succeeding. 

If the Administration does not take immediate steps to introduce legislation defin- 
ing the role of key escrow in the U.S., Congress must take decisive steps to do so 

The digital signature standard 

The continuing failiare of the U.S. Government to promulgate a Digital Signature 
Standard after twelve years of trying is a national economic tragedy. The world of 
electronic commerce could have been well along by now instead ofjust getting start- 
ed had a standard been established even a few years ago. Those in government who 
think they are making great strides with the National Performance Review and the 
National Information Infrastructure will soon realize that until there is an effective 
DSS, their efforts will be of very limited success. 

Make no mistake about it, the reason we have no DSS is because the national 
security and law enforcement interests in the U.S. have stymied all attempts to ap- 
prove the logical worldwide defacto standard, and they have not been able to come 
up with an alternative. And it does not appear that they will succeed in identifying 
one any time in the near future. 

Congress is well justified in taking the extraordinary step of naming a Digital Sig- 
nature Standard based on the worldwide commercial choice. Congress has an obliga- 
tion to the American people to allow the U.S. to enter the world of electronic com- 
merce before the 21st century. It truly appears that we may never have a DSS oth- 


On export control of cryptography 

The widespread availability of crjrptography throughout the world and the ease 
with which other countries, including our closest alMes, allow the export of cryptog- 
raphy to the U.S. and elsewhere make it imperative that our U.S. Government's reg- 
ulation of cryptographic exports move out of the Cold War. Export controls have 
been relaxed on every other form of high tech computer and communications tech- 
nology. Continuation of crjrptography export controls is only hurting American citi- 
zens and businesses. 

Law enforcement and national security interests will continue to encounter ever- 
growing amounts of encrj^ited communications no matter how many restrictive 
steps the Administration attempts to take. We must reahze this basic fact of tech- 
nology advancement and stop hamstringing U.S. national economic interests in the 
hope that we are helping our national security interests. 

It is evident from the Administration's refusal to relax crjrptographic export poli- 
cies during the Clipper Interagency Review that the Executive Branch is going to 
continue to emphasize the interests of national security and law enforcement over 
our national economic interests until we become a third-rate economic power. 

Only the Congress can take the steps to balance the interests of American citizens 
and businesses against that immovable force. I strongly support the Cantwell Bill, 
HR 3627, and the Murray-Bennett initiative, S 1846. 

On a national policy on cryptography 

All of these concerns reflect the dilemma between the interests of private citizens 
and businesses in the U.S. to protect their sensitive information and the interests 
of law enforcement and national secvirity to be able to monitor the communications 
of our adversaries. 

We need a national statement of policy in this country defining what "rights" indi- 
viduals and the government can expect in the use of cryptography. Such a policy 
might ban the use of cryptography by private citizens or remove all restrictions on 
cryptography exports. More ukely, it will seek a compromise to balance our national 
economic and security interests. One example of such policy is: 

"Good cryptography" shall be available to U.S. citizens and businesses with- 
out government restriction. 

"Good cryptography is defined as that which is commonly available through- 
out the world, presently the Data Encryption Standard and RSA pubUc key 
cryptography with a 1024-bit modulus. 

"Without government restriction" means without export control or other gov- 
ernment regulation. 

The Administration must understand that until a fair and open review of such 
a national policy is completed, the struggle over the control of cryptography will not 
go away. 

The Congress can and must play a pivotal role in resolving this dilemma. I strong- 
ly urge members of Congress to find a resolution of this issue before our economic 
interests are surrendered in the interests of law enforcement and national security. 


























X X 
















t t£ 






























* 1 



3 a 

1 1 

X z 















a . 











. • • • 



















1 1 

X X 


Z m 



* ■ • 






6]Q ouuuuuuou 






























































>iZ i 




































_ 8 






































"iisfs's ii U 

aoSo ii of 


lillll n u 




i i i i 1 1 





From the Software Publishers Association survey of cryptographic products as of April 25, 1994. 


Newnet S.A. 

Cybanim Pty Ltd. 

Datamatic Pty Ltd. 

Eracom Pty Ltd. 

Eric Young 

Loadplan Australasia Pty Ltd. 


News Datacom 


Robust Software 

Ross Williams 

Sagem Australasia Pty Ltd. 

TRAC Systems 





International Information Systems 

Cryptech NV/SA 
GSA Ran Data Europe 
Highware, Inc. 

A.B. Data Sales, Inc. 
Concord-Eracom Computer Ltd. 
Isolation Systems 
Mobius Encryption Technologies 
Newbridge Microsystems 
Northern Telecom Canada Limited 
Okiok Data 
Paradyne Canada Ltd. 



Secured Commimication Canada 93, Inc. 

DENMARK Aarhus University, Computer Science Department 

GN Datacom 
Iversen & Martens A/S 
LSI Logic/Dataco AS 
Swanholm Computing A/S 


Antti Louko 
Ascom Fintel OY 
Instrumentoiti OY 




CSEE • Division Communication et Infotmatique 


Cryptcch France 

Dassault Automatismes et Telecommunications 

Digital Equipment Corporation (DEC), Paris 

Research Lab 

Incaa France S A.R.L. 


Philips Communication Systems 

Rast Electronics 

S A. Gretag 


Smart Diskene 

Societe Sagem 

GERMANY AR Datensichemngssystemc GmbH 


CE Infosys GmbH 
Concord-Eracom Computer GmbH 
Controlwarc GmbH 
Data Safe 

Dynatech-GesellschaA fiir Datenverarbeitung 

EuroCom EDV 
FAST Electronic 
Gliss & Herweg 
Gretag Elektronik GmbH 



Markt & Technik Software Partners Intl. GmbH 

Paradyne GmbH 


Smart Diskette GmbH 

Tela Versichening 

Tele Security Timmann 

Telenet Kommunication 

The Compatibility Box GmbH 

Tulip Computers 

im-MACO GmbH 


G J.Mcssaritis & Co. Ltd. 

ORCO Ltd. 


News Datacom 

Triple D Ltd. 


Chenab Info Technology 


Eurologic Systems, Ltd. 

Renaissance Contingency Services, Ltd, 

Shamus Software Ltd. 


Algorithmic Research Ltd. 


News Datacom 



Incaa SRL 


Ratio Sri 

Tclvox s.a.s. 



Fujitsu Labs Ltd. 

Japan's National Defense Academy 
Paradyne Japan, KK 
Yokohama National University 


Telindus SA 
Shirebum Co. Ltd. 



Ad Infinitum Programs (AIP-NL) 

CRYPSYS Data Security 

Concord Eracom Nederland BV 

Cryptech Nederland 


DSP International 

Geveke Electronics BV 

Incaa Datacom BV 

Incaa Nederland BV 

Repko BV Datacomms 

Verspeck & Socters BV 


LUC Encryption Technology, Ltd. (LUCENT) 

Peter Gutmann 

Peter Smith and Michael Lennon 


BDC Bergen Data Consulting A/S 

Ericcson Semafor 


Scand PC Sys/Sectra 

Skanditek A/S 




Redislogar SA 


DKL Ltd. 
Elias Ltd. 
LAN Crypto 


Info Guard Saudi Arabia 

Communications Systems Engineering Pty. Ltd. 
Digitus Computer Systems 


BSS (Pty) Ltd. 

Computer Security Associates 



InfoPlan - Division of Denel P/L 



Net One 

Siemens Ltd. 




Asociacion Espanola de Empresas de Informatica 

Asociacion Nacional de Industrias Electronicas 

Redislogar Comminicaciones SA 



Tccnitrade Int. SA 


AV System Infocard 

Ardy Elektronics 

Au-System Infocard AB 

COST Computer Security Technologiej 



QA InformatLk AB 

SONOR Crypto AB 

SecuriCrypto AB 

Stig Ostholm 

Tomas Tesch AB 


Crypto AG 
ETH Zurich 
Ete-Hager AG 
Gretag AG 
Incaa Datacom AG 
Info Guard AG 
Omnisec AG 


Aiitech Computer Security 
British Telecom 
Business Simulations 


Cambridge Electric Industries 
Codepoini Systems Ltd. 
Compserve Ltd. Compserve Ltd. 
Computer Associates 
Computer Security Ltd. 
Cylink Ltd. 
Data liuiovatioQ Ltd. 
DataSoft IntemationaJ Ltd. 
Datamedia Corporation, Ltd. 
Digital Crypto 

Dynatech Communcations Ltd.-{Northem ofRce) 
Dynatech Communication Ltd. 

Fulcnim Communicatioas 
GEC-Marconi Secure Systems 

Global CIS Ltd. 
Gretag Ltd. 

IT Security International 

International Data Security 
International Software Management 
J.R.Ward Computers Ltd. 
JPY Associates 
Jaguar Communications Ltd. 
Janus Sovereign 
UK Marconi 

Microft Technology Inc. 

Micronyx UK Ltd. 

Micronyx UK Ltd. 

Network Systems 

News Datacom 

Northern Telecom Europe Limited 

PC Security Ltd. 


Paradyne European Headquarters 

Plessy Crypto 

Plus 5 Engineering Ltd. 


Prosoft Ltd. 

Protection Systems Ltd. 


Racal Milgo 


S&S International 

Shareware pic 

Sington Associates 

Smart Diskene UK 

Smith's Associates 


Sophos Ltd. 

Stralfors Data 

Sygnus Data Communications 

The Software Forge Ltd. 

Time & Data Systems 


University College London 

Widney Ash 


Zeta Communications Ltd. 

USA 3COM Corp. 

ADT Security Systems 

AO Electronics 


ASC Systems 

ASD Software Inc. 


AST Research 


AT&T Bell Laboratories 

AT&T Datotek Inc. 

Access Data Recovery 

Advanced Computer Security Concepts 

Advanced Encryption Systems 

Advanced Information Systems 

Advanced Micro Devices, Inc. (AMD) 

Aladdin Software Security 

American Computer Security 

Anagram Laboratories 
USA Applied Software Inc. 

Arkansas Systems, Inc. 


Ashton Tate 

BLOC Development Corporauon 


Bi-Hex Co. 


Braintree Technology 


CE Infosys of America, Inc. 

Casady and Greene 

Centcl Federal Systems Inc. 

Centra] Point Software 

Certus Intcnnational 

Cettlaji Corp. 

Chase Manhattan Bank, N.A. 


Codex Corp. 

Collins Telecommunications Products Division 

Command SW Systems 


Communication Devices Inc. 


Computer Associates International, Inc. 

Contempor^y Cybernetics 



Cryptex/Gretag Ltd. 

CyliiJc Corp. 

Cypher Comms Technology 

DSC Communications 

DataBase International 

DataJcey Inc. 

Datamedia Corporation 

Datamedia Corp. (DC Area) 

Datawatch, Triangle Software Division 

Datotek, Inc. 

Dell Computer 

Digital Delivery. Inc. 

Digital Enterprises Inc. 

Digital Equipment Co^roration (DEC) 

Digital Pathways 

Docuiel/Olivetti Corp. 

Dolphin Soft>A-are 



Dowty Network Systems 
ELIASHIM Microcomputers Inc. 
Enigma Logic, Inc. 
Enterprise Solutions Ltd. 
Fairchild Seminconductor 
Fifth Generation Systems, Inc. 
Fischer International 
Front Line Software 
GN Tclematic Inc. 
GTE Sylvania 
Gemplus Card International 
General Electric Company 
Glenco Engineering 
Hawk Technologies Inc. 
USA Hawkeye Grafix, Inc. 

Hilgraeve, Inc. 

Hughes Aircraft Company 

Hughes Data Systems Inc. 

Hughes Network Systems - California 

Hughes Network Systems - Maryland 

Hybrid Communicatior •> 


Incaa Inc. 

Info Resource Engineering 

Info Security Systems 

Information Conversion Sevices 

Information Security Associates, Inc. 

Information Security Corp. 

Innovative Communications Technologies, Inc. 


Internationa] Business Machines (IBM) 

Inter-Tech Corp. 

Isolation Systems, Inc. 

Isolation Systems, Inc. 

John E. Holt and Associates 

Jones Futurex, Inc. 

Kensington Microware Ltd. 

Kent Marsh Ltd. 

Key Concepts 

Kinetic Corp. 



Lassen Software, Inc. 
Lattice Inc. 

Lexicon, ICOT Corporation 
Litronic Industries (Information Systems Division) 
Litrooic Industries (Virginia) 

Maedac Enterprises 


Massachusetts Institute of Technology 
Matsushita Electronic Components Co. 
Mergent International 
Micanopy MicroSystems Inc. 
Micro Card Technologies, Inc. 
Micro Seoirity Systems Inc. 
MicroFrame Inc. 

Microcom Inc. (Utilities Product Group) 
MicroLink Technologies Inc. 
Micro rim 
Mike Ingle 

Morning Star Technologies 
Morse Security Group, Inc. 

NEC Technologies 
National Semiconductor 
Network- 1, Inc. 
Networking Dynamics Corp. 
Nixdorf Computer Corporation 
Northern Telecom Inc. 

OnLine SW International 
Ontrak Computer Systems Inc. 
Optimum Electronics, Inc. 
USA Otocom Systems Inc. 

PC Access Control Inc. 
PC Dynamics Inc. 
PC Guardian 
PC Plus Inc. 



Paradyne Caribbean, Inc. 

Paradyne Corporation 

ParaJon Technologies 

Persona] Computer Card Corp. 

Pinon Engineering, Inc. 

Prime Factors 

RSA Data Security, Inc. 

RSA Laboratories 

Racal Datacom 


Racal-Milgo USA 

Rainbow Technology 


Rothenbuhler Engineering 

S Sqtiared Electronics 




Samna Corp 

Scrambler Systems Corp. 

Sector Technology 

Secur-Data Systems, Inc. 

Secura Technologies 

Secure Systems Group Intemationl, Inc. 

Security Dynamics 

Security Microsystems Inc. 

Semaphore Communications 

Sentry Systems, Inc. 

Silver Oak Systems 

SmartDisk Security Corp. 

Software Directions, Inc. 

Solid Oak Software 

SophCo, Inc. 

Sota Miltopc 

Stellar Systems Inc. 

Steriing Softw.-arc Inc. (Dylakor Division) 

Sterling Software Inc. (System SW Marketing 




TRW, Electronic Product Ltd. 

Techmar Computer Products, Inc. 

Techmatics, Inc. 



Technical Communications Corp. (TCC) 
Telequip Corp. 
Terry Riner 
Texas Instruments, Inc. 
The Exchange 
Thumbscan, Inc. 
Tracor Ultron 
Trigram Systems 
Tritron Sytcms 

Trusted Information Systems, Inc. 
USA UTI-MACO Safeguard Systems 

UUNet Technologies, Inc. 
United Sofhvare Security 
Uptronics, Inc. 
VLSI Technology, Inc. 
Verdix Corp. (Secure Products Division) 

Visionary Electronics 
Wang Laboratories 
Wells Fargo Security Products 
Western DataCom Co. Inc. 
Western Digital Corporation 
Westinghouse Electric Corp. 

Xetron Corp. 
Yeargin Engineering 
Zenith Data Systems 
usrESZ Software, Inc. 

YUGOSLAVL«i Sophos Yu d.o.o. 



Senator Leahy. Now, let me ask you this. On this program, how 
difficult would it be to decrypt it? 

Mr, Walker. Well, we have the decrj^jtion program in there on 
your phone and it is doing the decryption. You mean how difficult 
would it be for someone else? 

Senator Leahy. Yes; let us say that it is somebody else. 

Mr. Walker. This is standard DES, which is 56 bits of key. As 
Ray Kammer said, DES has served us very well for 17 years. It 
would take — well, there was an estimate last summer at the crypto 
conference that if you built a special purpose device for $10 mil- 
lion — this was actually an engineering estimate of some detail — 
you could exhaustively check the key space of DES in 3.5 hours, 
and that is the fastest that anyone has ever regularly predicted 

Senator Leahy. But Clipper Chip would take a lot longer than 

Mr. Walker. Clipper is 80 bits, and it is 2 to the 56th versus 
2 to the 80th and it is 16 million times harder to do Clipper, so 
Clipper is very strong. Of course, and I don't want to hammer this 
too hard, but the question of what we do if DES gets too weak — 
well, one thing to do is to back up essentially DES processes to- 
gether — it is actually three of them — and you can double the key 
length. So you can go to 128 bits with DES with the algorithms 
and with the software that is already available. 

Senator Leahy. With this, if you were sending something to me, 
I have got to know the key, 

Mr, Walker. That is right. 

Senator Leahy. One, I have got to have the program, but then 
I have got to know which key to use. 

Mr. Walker. Yes; and if you were to use it as a telephone you 
would like to set it up like the — well, if you want key escrow, you 
can run it the same way that the exchange of the key happens with 
the Clipper, If you don't like key escrow, you can do it the way they 
did it in the P version, which doesn't have key escrow. We could 
have, in fact, set up that same key exchange process. We just didn't 
have the time to do it. 

Senator Leahy, Now, you have linked them by an independent 
line, but you could have done this over regular telephone lines, 
couldn't you? 

Mr. Walker, That is right, yes, sir. 

Senator Leahy. And if you wanted to talk to your employees in 
London from an office in Maryland, you could use the same com- 
puter program to scramble those kinds of conversations? 

Mr. Walker. Yes. 

Senator Leahy, And data transmission, also? 

Mr. Walker. Yes; we have an alternative to PGP called Privacy 
Enhanced Mail, which is essentially the same kind of functionality 
that was talked about in the Wall Street Journal the other day. 
Some folks in England want it, the Ministry of Defense, in fact, 
and we have not been able to sell it to them because of the export 

The specs for PEM are internationally available and so we actu- 
ally hired a scientist in England to rewrite the code from scratch 
using DES £ind RSA that is already available in England, and we 


have demonstrated that to the British Ministry of Defense. They 
can buy it in England. We can't sell them our stuff here, so we 
have essentially done a second implementation. The irony is that 
the British export laws are such that we may well be able to export 
to the U.S. the version that we built in England which, of course, 
we couldn't ever send back to them. 

Senator Leahy. Now, the administration has stated that the use 
of key escrow encryption is going to be voluntary even for Federal 
agencies, and that no alternative encryption system is going to be 

Mr. Walker. Yes; that sounds very good. 

Senator Leahy. Then what is the concern? If that is so, why is 
there concern about Clipper Chip? 

Mr. Walker. If that is so and if the numbers that I have pro- 
jected down here are also right, one shouldn't have a concern about 
it. One is not certain that that is going to remain so forever, 
though. I mean, I am fearful that they are going to realize in 4 or 
5 years, you know, this just isn't working; we are still having a 
problem. Then they will change the rules and it won't be voluntary. 

Senator Leahy. Yes; you are saying if Clipper Chips are not ac- 
cepted on a voluntary basis. Then what do you think they are going 
to say? Whether you have got Clipper or DES or Pretty Good Pri- 
vacy, or whatever, you have got to have a key escrow feature? 

Mr. Walker. It is clear — and I want to be very clear. I sym- 
pathize greatly with the law enforcement and the national security 
interests in this, and I am not trying to make their lives harder 
in this. As I was talking to the admiral just before we started here, 
he said this all started back when Admiral Inman let DES out. 
Well, indeed, that is the case. DES got out of the bag in 1976 or 
1977 and we are now seeing it available around the world. 

Their job, unfortunately, is going to get much harder whether we 
impose key escrow or whether we continue to control export control 
or not. I don't want to make their job harder, but I don't think it 
is reasonable for them to sacrifice U.S. national economic interests 
in the interest of keeping something that is already out of the bag 
and is eventually going to make life very difficult for them anyway. 

Senator Leahy. Unless they require the key escrow feature with 

Mr. Walker. Indeed; key escrow, though, as we have seen in 
these devices and in the Tessera cards that are part of the Cap- 
stone Program, requires that it be done in hardware. I am a mem- 
ber of the NIST Software Escrow Alternatives Committee, and we 
indeed have met bimonthly, not biweekly, and we are struggling 
with whether there is any alternative here. 

To require key escrow that you can't defeat trivially, you have to 
do it in hardware, and the whole point of this demonstration and 
thousands of others like it is encryption is available in software. No 
one is going to want to put key escrow along with this if, in fact, 
they have to add hardware to this when they already have it with- 
out it. So making a law that says you have to have key escrow will 
be one of the most significant laws that no one pays attention to 
that we have had in a long time. 

Senator Leahy. We have had a few of those over the years. 


Mr. Walker. Indeed; I mean, it's Prohibition all over again. It 
is going to be fun. 

Senator Leahy. I am too young to remember; that was before my 
time anyway, but I remember some of the stories my father told 
me about that. 

You talk about NIST. Mr. Kammer, when he was testifying, said 
that NIST is open to other approaches. One, do you feel it is? I 
mean, you are serving with that advisory committee. Secondly, are 
there alternatives to Clipper Chip that could serve the objectives 
of protecting the privacy of communications, but not irreparably 
damage some of our national security and law enforcement needs? 

I should emphasize in this that I am convinced both from open 
hearings and classified hearings that we have some very, very seri- 
ous law enforcement needs and we have some very, very serious 
national security needs. 

Mr. Walker. I agree. 

Senator Leahy. In the national security area, I don't worry so 
much, as I have said on many occasions, about an army marching 
against us or a navy sailing against us, or an air force, because we 
are far too powerful for that. I am far more worried about a well- 
organized, well-directed, well-motivated terrorist group coming 
from abroad, one that could cause enormous physical damage as 
well as psychological damage. One that, I don't think it would be 
stretching it too far to say, could cause real damage to our constitu- 
tional liberties and our constitutional way of doing things, more so 
than the armies of World War I and World War II. Such a group 
could suddenly make us question everjrthing from our search and 
seizure laws to our freedom of speech laws. That, as an American 
and one who has seen the importance of those constitutional safe- 
guards, bothers me very much. 

So do you see such alternatives? 

Mr. Walker. Well, there are alternatives that people have talked 
about. Sylvia McCauley at MIT has proposed for some time, and 
indeed apparently has some patents on some key escrow tech- 
nologies. Basically, those end up being voluntary unless you can — 
I mean, easy to bypass is what I mean, making them — the law en- 
forcement people can't insist that this is, in fact, going to be im- 
posed everytime, and that seems to be a real hangup with the ad- 
ministration that if it is not something that can be imposed 
everytime it is used, then they are not interested in it. Unless we 
reorder the way in which we build our computers and our tele- 
phones, it is going to be very difficult, without something like the 
Clipper or the Capstone chip, to be able to have this happen 

To your other point, I think this is why I have come to the con- 
clusion after thinking about this for a year that we have a national 
dilemma here — the difference between individuals' rights to privacy 
and the law enforcement and national security needs. That is why 
I think it is so important that this be submitted for legislation and 
let all sides have their say and let the Congress decide whether we 
should impose this or not. 

I really am not sure there is any other way to get out of this one. 
I mean, wiretaps are not an attractive thing to individuals, but we 
have decided that under certain circumstances wiretaps are OK. 


We may well decide that key escrow is OK. It certainly does pro- 
vide advantages if it becomes widely used, but I don't think — as the 
administration is now proceeding with this essentially on its own 
without any legislation, without any other use of the separation of 
powers of the Constitution, I don't think Americans are going to 
buy Clipper escrow devices, and so it is not going to achieve what 
they want. 

If we considered legislation and as a country we decided this is 
the thing we need, for exactly the reasons that you were just giv- 
ing, then fine. I will go along with it. I don't actually have that big 
a problem if our government is using — I mean, what I am suggest- 
ing is we put the key escrow center in the judiciary so that nobody 
in the executive branch supposedly can twist their arms. 

We are in a situation where we have to trust our government for 
a certain amount of things. We shouldn't have to trust it for any 
more than we have to, and everytime we do something like this we 
should use all the separation of powers that we can. Put the en- 
forcement in the executive branch, put the decisionmaking about 
the keys in the judicial branch, and keep them separate. It is the 
best system we have got and we should be using it. 

Senator Leahy. Mr. DifTie, how do you feel about this? 

Mr. DiFFlE. Well, as I said, my first response to this is to look 
broadly at the technical resources of law enforcement and say, if 
you see the expanding possibilities not only of electronic surveil- 
lance but of DNA fingerprinting, of recognition of people in infrared 
photographs and a whole range of things that have become avail- 
able to law enforcement as investigative and enforcement tools, it 
seems very clear that the failures of law enforcement in contem- 
porary society are not failures of their technical capabilities. 

On the other hand, the introduction of new technologies into soci- 
ety brings up the problem of how we embody existing traditions, 
values, procedures, et cetera, in using those technologies, and I 
think that is a thoroughly legitimate question about the way in 
which cryptography will be deployed. In talking about the intrinsic 
character of key escrow in storage cryptography, I was citing one 
example of that kind of thing. 

Senator Leahy. But you don't question, do you, the fact that 
there can be some very, very legitimate national security interests 
in knowing, for example, what kinds of communications might be 
sent from a country hostile to us or known to harbor and protect 
terrorists to people here in the United States, and that in protect- 
ing our national security there may be a very real need to know 
what was in that communication on a realtime basis? 

Mr. DiFFiE. I don't doubt the value of communications intel- 
ligence. When you are talking about explicitly communications of 
terrorist groups that are foreign state-supported, I see no reason 
that the foreign state should be any more hesitant to supply them 
with COMSEC equipment than they are to supply them with AK- 

Senator Leahy. You think that what they would do is give them 
the kind of communication equipment that we might not be able 
to decipher anyway? 

Mr. DiFFlE. Well, you know, there has been a lot of pessimism 
in amateur circles over many years about communications Intel- 


ligence. The fact is that communications are quite hard to protect, 
and one of the important things about the sort of devices like the 
PSD 3600 is that they protect some aspects of your communica- 
tions, but they don't do anything to protect the traffic analysis, the 
trap and trace, the pen registers, and all of that. So I think that 
you really have to take a comprehensive view of the communica- 
tions intelligence and investigative techniques when you ask what 
the impact of cryptography applied at one level or another is going 
to be. 

Senator Leahy. Do you see the need for the ability to find out 
what somebody is sa3dng, on a realtime basis for law enforcement 
inside our country? Consider a criminal holding somebody hostage 
for a ransom and threatening that if the ransom is not paid by a 
certain time, the person is going to be killed. We want to know 
where the communications are going, to try and determine where 
that person might be, with the possibility of a rescue prior to the 
person being killed. I mean, this is not a fanciful movie-of-the-week 
but could be a real-life situations. 

Mr. DiFFlE. That is a very good example when you are talking 
about trying to trace calls, finding out where people are, and so 
forth. That is something which modern communications technology 
has made an overwhelming improvement in. If you look at the con- 
ventional wiretap, it is not so vastly much better than putting a 
bug in somebody's room. It is placed on what is called the local loop 
and it gives you access to the communications on the local loop 
with very little, if any, information about where calls are coming 

If you look at modem communications intercepts inside digitized 
telephone systems, you are getting realtime information about 
where calls came from even if they are long distance. 

Senator Leahy. But you might not know what the call is if you 
don't know who is on there. 

Mr. DiFFlE. I don't doubt that it is possible to construct a par- 
ticular scenario that emphasizes any individual investigative tech- 
nique. What I am trying to point out here is that the overall 
growth in investigative capability that has flowed from the changes 
in telecommunications gives law enforcement a wide range of new 
things that they can do that they couldn't do in the past, and that 
for them to accept those gleefully and then try to turn to any indi- 
vidual element with which they are now having more trouble with- 
out taking account of the fact that that is made up for by other re- 
sources is to give an unfair impression of the relative importance 
of particular investigative techniques versus very serious privacy 
concerns for business and individuals. 

Senator LEAHY. Mr. Walker, what happens on the global elec- 
tronic superhighway if Clipper Chip becomes the U.S. standard for 
encryption but other countries don't want to let it in? 

Mr. Walker, We will have a U.S. superhighway and we won't be 
part of what is happening elsewhere. If I might add just a minute 
to the comments that Whit was saying, yes, there is the possibility 
that some vital event will happen which we may lose to encrypted 
communications, but I think we have to balance that on the other 


I participated 2 years ago in hearings with Congressman Brooks 
on foreign industrial espionage and, essentially, U.S. business is 
wide-open en masse right now to communications intercepts any- 
where in the world, and we do not have cryptography available on 
our laptops as part of Microsoft's products or Novell's products or 
WordPerfect's products because we can't export it from this coun- 
try. We don't have it ourselves either. You don't have it routinely 
available and neither do I. m j /^ 

So, yes, there is a concern that some event, a World Trade Cen- 
ter bombing, or whatever, may occur and we may lose something 
with that, but we are at grave risk that all of our technology that 
we are passing over the United States or global superhighway is 
wide-open at this time, and sometime we have to fmd a balance be- 
tween the possibility of an event like a World Center Trade bomb- 
ing employing cryptography and the absolute certainty that all of 
our industrial information is passing in the clear around the world, 
easy for our adversaries, governments and other countries, to pick 
off and listen to. 

We have got to fmd a balance between those, and the balance 
has just swayed so far in favor of national security and law enforce- 
ment that it is going to eventually result in making the U.S. a 
third-rate power before we realize how significant that is. 

Senator Leahy. Larry? 

Senator Pressler. Well, thank you very much, Mr. Chairman. 

You may have covered this already, and if you have I apologize. 
I have been dealing with other committees this morning. As you 
are aware, critics of the administration's proposal argue that, as a 
practical matter, no criminal or foreign spy or terrorist of any so- 
phistication would be foolish enough to us an encryption device de- 
signed by the NSA and approved by the FBI. 

Why do we feel that people whose telecommunications the NSA 
and FBI want most to decode will be the very people most likely 
to use this technology? 

Mr. Walker. I suspect you should have been here during the 
previous people testifying. We agree with you. 

Senator Leahy. We spent about 2 hours going through that one. 

Senator Pressler. OK. 

Mr. Walker. We don't disagree with the assertion that— well, I 
will say specifically this is an AT&T 3600 that does not use key 
escrow. It is currently for sale. There is a Clipper version that is 
also for sale. I think people who have any sense that they may be 
wiretapped are going to go to their AT&T store and buy this one 
rather than the Clipper one, for exactly the reason you mentioned. 

Senator Pressler. Well, are there sufficient safeguards in the es- 
crow system? You would have to have a court-authorized wiretap, 
and I guess two agencies would have to be involved. It sounds to 
me as though there are some fairly extensive safeguards built in. 

Mr. Walker. My personal opinion is with law enforcement oper- 
ating within the law, the procedures that they are establishing— 
I have been briefed on this several times on the Computer System 
Advisory Board and other things — are going to be sufficient for 
this, law enforcement operating within the law. 

I am concerned that law enforcement operating outside of the 
law doing something that is not authorized — these procedures may 


not be good enough for that. I am not sure that you could ever have 
procedures that are good enough for that, which is the concern 
about establishing key escrow as a mechanism anyway, in any 
case, and why I believe we need to have legislation to review 
whether we really want this or not. 

Mr. DiFFlE. I think my understanding is that in the early 1940's 
when Japanese Americans were interned, the information that was 
used to identify them was, in part, census information that was 
very explicitly legally — clear legal impropriety in using the census 
information for this purpose. 

I think when we think about creating what the escrow system 
might become — that is, a repository of keys that could be used to 
read a vast amount of American traffic — we are considering creat- 
ing a vulnerability, a very long-term vulnerability in the U.S. Com- 
munications System. In these discussions, it is always important to 
emphasize that as valuable as telecommunications are to us at 
present, they will be more valuable in the future. They will be 
more the essence of our society in a few years than they are now. 

So I am very worried that we are creating something that is a 
fundamental danger to the security of our communications system 
under the guise of an improvement to the security of our commu- 
nications system. 

Senator Pressler. Now, Mr. Walker, you describe how present 
U.S. laws prohibit the export by your company of encryption prod- 
ucts. Are you in favor of eliminating those laws completely? If not, 
what should be exported and what should be prohibited? 

Mr. Walker. I believe that there needs to be a balance found be- 
tween super-good cryptography that is used by the U.S. Govern- 
ment to protect its classified information — I don't think that should 
be exported. What I am suggesting is things that are routinely 
available throughout the world ought to be able to be exported by 
the United States. 

We have relaxed export controls on every kind of computer and 
telecommunications in the last couple of years except that involving 
cryptography. In the survey we are doing, which is done at a very 
low budget without a whole lot of fancy people working on it, we 
have found a very large number of DES and better products that 
are available throughout world. Why is it that U.S. companies are 
excluded from being able to participate in that? 

So I am not suggesting that we ban export controls on cryptog- 
raphy as a whole. I am saying let us find what the level is that 
is available routinely around the world and establish that as the 
basis where U.S. companies can participate. If U.S. companies can 
participate in exporting things like DES, then you will find 
Microsoft and Novell and WordPerfect including encryption in their 
products so that when you want to protect a file from someone else 
reading it or when some company wants to use this to protect their 
very sensitive information, they will have the tools available to do 

We do not have control in this country of the internal use of cryp- 
tography, but the use of export control has been so strong that it 
has, in effect, created a control of its use within the United States. 
It is legal to use DES to encrypt your Microsoft files, but you won't 
find a product that lets you do that relatively easily because the 


people who build those products can't sell it to half the market that 
they have. 

So we are in a situation which requires some degree of sense ap- 
plied to it. Don't ban the export of cryptography in general. Good 
systems, military use systems, should not be exportable, but rou- 
tine things that are available in the bookstores in London and in 
Germany and in Australia and South Africa — we ought to be able 
to sell those, too. That is what I am seeking, and I believe that is 
what the Cantwell and the Murray bills, in fact, are seeking to do, 
and I strongly encourage that the House and the Senate pass those 
as quickly as possible. 

Senator Pressler. Thank you very much. 

Senator Leahy. Thank you. We will take a 2-minute recess to 
allow the next panel to set up. 


Senator Leahy. During the break, someone asked me the num- 
bers, and I reversed the cost estimate. NIST has estimated that 
$14 million is the cost of setting up the Key Escrow System, and 
$16 million is the annual maintenance cost. I forgot who asked me 
the question, but I hope they are still in the room. I wanted to cor- 
rect it if I gave it just the other way around. 

Admiral McConnell is the Director of the NSA, the National Se- 
curity Agency, and has been for a couple of years. Before that, he 
served as head of the Intelligence Department of the Committee of 
the Chiefs of Staff of the U.S. Armed Forces. The admiral has been 
most patient in listening. By the end of this day, he and I will 
probably have heard more than either one of us ever wanted to 
hear on this subject. 

Admiral I appreciate your being here because your involvenient 
is absolutely essential in getting any resolution on this. I might 
note for the record that I appreciate the amount of time you have 
spent personally with me on this, and that the time your staff has 
spent. It has been very, very helpful, and I must say in my experi- 
ence in 20 years in dealing with those in the intelligence agencies, 
I have never had anybody be more cooperative or more forthcoming 
than you have and I just wanted to publicly commend you on that, 
especially since some of the things that you are cooperative about 
I can't publicly thank you for, but I thank you in general. 

Gro ahead. 


Admiral McCONNELL. Mr. Chairman, I appreciate the oppor- 
tunity to comment. As you know, I have submitted a statement for 
the record, but in the interests of time I would like to just make 
a few brief comments. 

I noted that you started earlier this morning — it seems like 
hours and hours ago now 

Senator Leahy. It was. 

Admiral McConnell. About the CNN/Time poll; 80 percent of 
Americans were against this. Just for interest, I pursued that a bit 
to read the question that was asked. Although the question wasn't 
published, it was stated in a way with pejoratives three times 
along the way to basically come down to, do you want the govern- 
ment reading your communications, as opposed to stating it in a 


way to say this is not an enhanced or additional authority for the 
government to do its law enforcement mission, which includes le- 
gally authorized wiretaps. So I think the question was probably a 
little bit biased in the way it was asked. 

Sir, your letter asked me to address what was NSA's role in this 
whole process, and it can be summed up very succinctly. We were 
the technical adviser to NIST that you heard from earlier and to 
the FBI and the Department of Justice. The FBI, in the legislation 
that they have submitted, recognized that they had a problem with 
the communications process going from analog to digital, referred 
to popularly as the digital telephony legislation. In conjunction 
with that, they began to appreciate the potential impact of 

They came to us, as did NIST, in our role as directed under the 
Computer Security Act of 1987, and asked for technical assistance. 
Quite frankly, this was a very tough technical challenge for us. We 
sat down to sort through potential technical solutions and what we 
came up with was escrowed key. 

Now, I would like to make the point that you only have three 
choices if you are going to encrypt something. You can use 
encryption that is exploitable, meaning that it is neither, not of suf- 
ficient key length or there is a weakness or there is something that 
would allow an adversary to break into it. You can use encryption 
that is exploitable, or you can use encryption that is unexploitable 
but uses an escrowed key. In my opinion, that is where we came 
out. We made encryption that is not exploitable. We factored in the 
escrow key, for all the reasons that have been enumerated for you 
this morning. 

NSA has been castigated regularly in the literature on this sub- 
ject as being the perpetrator and having sinister motives, and so 
on, and I would just like to take a moment here in public to try 
to put a little balance on some of those comments. 

First of all, NSA has no domestic surveillance function. NSA has 
no law enforcement function. We do not target Americans. We have 
no direct association with law enforcement other than if we collect 
something in our mission of foreign intelligence that would be of 
use to law enforcement, we make that information available, just 
like we would make it available to any other agency of government 
or to the Congress. 

The second point I would make is we certainly are a nation of 
laws. Our activities are governed by law and we have very exten- 
sive oversight not only in the executive branch, but also in the Con- 
gress, two committees, and you, of course, served on one of those 
committees. That oversight, sir, as you well know, is quite exten- 
sive on what we do. 

Our mission is to target foreign activities, so anything that NSA 
is engaged in is strictly in a foreign context. Now, what are those 
things? Military capabilities; proliferation of weapons of mass de- 
struction, even the creation of weapons of mass destruction; sci- 
entific and technical intelligence on weapons systems and ability of 
countermeasures to defeat U.S. systems; and, in fact, military oper- 
ations, and you could extend it on to foreign government actions 
that would either harm their neighbors or would harm the inter- 


ests of the country. All of those are very important things, and let 
me just use a current example. 

Most who have focused at all on foreign relations are concerned 
about the events in North Korea. North Korea either has or they 
intend to build a nuclear weapon. They have a missile system that 
has a current range, we estimate, in the neighborhood of 1,000 km. 
They intend to build missiles with capabilities beyond 1,000 km. 
Now, that is of interest to the United States and it is of interest 
to our allies, the South Koreans, the Japanese, and others. 

NSA's interest in this thing called cryptography and standards, 
and particularly international standards, is influenced by our serv- 
ice to the Nation to maintain awareness of what is going on in the 
world that impacts on not only military operations, but the formu- 
lation of foreign policy and that sort of thing. 

Successful completion of our mission has saved lives not only in 
the military context, but in the civilian context, not only for the 
United States, but for our allies. We have provided information to 
our policymakers for the formulation of foreign policy. We did it 
last year, we did it last month, we did it yesterday, and we are 
doing it this morning. 

Now, what I would like to do — since most of everything that I am 
involved with currently is classified and I am unable to speak free- 
ly on it, I want to try to give this a sense of relevance by speaking 
to a historical context. 

In World War II in the Atlantic theater, the United States and 
Great Britain collaborated to break the communications of the 
enemy. Through the ability to read the communications of the 
enemy, we knew when they were planning battles, with what level 
force. We knew how to engage, when and where, and when it was 
to our advantage. 

The U-boat force, the submarine force, was approaching success 
in shutting down the flow of war materials going from the United 
States to England and to Europe. The success in code-breaking al- 
lowed the United States to either circumvent the U-boats or to sink 
them. It made an incredible difference. Historians have credited, 
now that this information is public, World War II coming to com- 
pletion in Europe, if not 2 years, at least 18 months, sooner than 
it would have otherwise. 

Now, let me switch to the Pacific. The United States succeeded 
in breaking the code of the enemy in the Pacific. Because of that, 
with an inferior naval force, we immediately started to enjoy naval 
victory. The first was on the Coral Sea, the battle of the Coral Sea, 
and the second was at Midway. At the battle of Midway, the tide 
was turned. 

Now, it is very interesting what happened in this historical con- 
text. The Coral Sea and the battle of Midway occurred in 1942. In 
the summer of 1942, a newspaper reporter became aware that the 
United States was breaking the communications of the enemy and 
it was published in a U.S. newspaper. It became a cause celebre 
and was repeated a number of times, and by the late summer the 
enemy had changed their communications process. 

Coincident with that, the campaign in the Solomon Islands was 
initiated. It was long and it was bloody. We could not see their in- 
tentions. We did not understand what they were planning to do. 


Therefore, it cost countless thousands of Hves that, in my view, 
could have been avoided if our capability to exploit had been pre- 

NSA is involved in this level of activity every day, but as you 
well know, it is classified. If I spoke about it in public, what suc- 
cess we do enjoy today would disappear. So I use this historical 
context to try to provide some weight to what it means to the Na- 

I just would terminate on that particular subject in a current 
context by just advising you that the Secretary of Defense and Gen- 
eral Powell at the conclusion of Desert Storm came out to NSA to 
personally thank the employees, the men and women, of NSA for 
the contributions that they made. 

Sir, when we were asked to provide a technical solution, if there 
was a technical solution to this seemingly intractable problem, we 
started with a list of objectives, and I want to give those objectives. 
First and foremost, we just made ourselves a list of, as citizens, 
how would we like a technical solution to come out. 

The first was, contrary to what appears in the popular literature, 
enhancement and protection of the privacy of Americans. That was 
number one on our list. The second was to protect public and pri- 
vate corporate information, business information; to promote U.S. 
competitiveness.; and, of course, the last objective was what we 
were asked to provide some thought to by Justice and NIST, and 
that was to allow law enforcement to monitor criminals or terror- 

We conceived Clipper. It has been referred to here most often as 
Clipper. It is actually an algorithm and the name of it is Skipjack. 
Clipper is just one application of Skipjack. There are others. As has 
been stated earlier, it is 16 million times stronger than the current 
Federal standard, which is referred to as DES, or the Data 
Encryption Standard. 

The idea was to escrow the key, hold it in such a way that it 
could be drawn for legitimate purposes. But if you really think 
about it for a moment, the auditability of the process and the ac- 
countability of the process improves the privacy of Americans over 
where it is today. Today, a political opponent, a used car salesman, 
a credit research bureau, a rogue cop, could intercept someone's 
communications. If they were using the devices that we have dis- 
cussed here this morning with escrowed key, then the only way 
that you could break that communication would be with some over- 
sight provided by a court in a process that is more accountable 
than what exists currently. 

So I think, in my view, we have struck the proper balance be- 
tween privacy protection and law enforcement access. I really be- 
lieve when I have thought this through, and I have been working 
at it and thinking about it now for some 2 years, that the privacy 
of Americans is enhanced, not degraded. It not only is court-author- 
ized, but we tried to make it analogous to the way we do nuclear 
weapons — two-agency control and two-man control, never allowing 
one person to have absolute control of the process. The existing 
wiretap authorities have not been expanded, and existing legal pro- 
tections, in fact, in my view, have been strengthened. 


NSA's INFOSEC mission, our mission which is not well known 
to most of those who talk about us and most discussions about 
what we do against foreign interests in terms of intelligence collec- 
tion — we do have another mission, and that is information security 
for the government. We make the government's code, and because 
we are probably the most robust encryption activity available to 
the country, our expertise is drawn upon so we can take some of 
that technology that we have, in fact, spent millions of dollars on 
to make it available to resolve some of these other problems. 

The administration did not take this lightly. They spent some 9 
months reviewing it. They solicited and considered industry views. 
They concluded at the end of that deliberation that export controls 
on cryptography should be maintained as being in the best inter- 
ests of the Nation so that it would not damage NSA's mission and 
our global responsibilities. 

A number of reforms were announcing mandating speeding-up of 
the process and easing the regulatory burden to get, in fact, ap- 
proved export items of a cryptographic nature exported — key es- 
crow products that can be licensed quickly for movement out of the 
country so long as it is consistent with national security. 

Now, a number of laws have been discussed today, and issues 
discussed today, and I think our two previous speakers captured it 
very eloquently. What I heard was one discussion of privacy and 
another discussion of profit motive or being motivated to do this be- 
cause it may have some impact on U.S. business. 

I would just highlight that there are other rules and regulations 
that people find offensive in the privacy sense, but to come into 
this hearing today I was electronically searched. To get on an air- 
plane, I am electronically searched. The Congress has decided that 
that invasion of privacy is worth it in the interests of public safety. 
The same argument is being made with regard to court-authorized 
intercept of terrorist or criminal communications. Some would 
claim that these and other laws invade privacy. In my view, it is 
a balance of that privacy. 

Key escrow is a technical solution to a very complex set of equi- 
ties. As a matter of fact, at NSA that is how we refer to this issue. 
In addition to being a headache, we call it our equities issue. 
Whose equities are involved? I go back to what our original objec- 
tives were — Americans' privacy, corporate interest, law enforce- 
ment, and the competitiveness of U.S. business. So when we weigh 
all those equities, at least in my view, and I would say fortunately 
in the view of the administration which reviewed this, to include 
very active participation by the Vice President — he came down on 
the side of the most equities are represented and protected by the 
key escrow initiative. 

So, that concludes my statement. I would be happy to try to an- 
swer your questions. 

Senator Leahy. Thank you; skipjack is for voice encryption now. 
Are you working on something even faster for data encryption? 

Admiral McCoNNELL. Yes, sir. Currently, Skipjack can be made 
fast enough to keep up with any current or anticipated application, 
but there will be a need to go faster and we will either have to 
make Skipjack go faster or have a new approach. One of the things 
I might mention is, working for Defense — Defense had asked us to 


come up with a technical solution for a way to use the information 
superhighway to exchange E-mail communications with business, 
with contractors, and so on, in a way that would be protected. That 
was why Skipjack was invented. The application is something we 
call Capstone. It is a PC card that just plugs in and provides you 
a lot of the functionality that has been discussed earlier. 

When the FBI and Justice presented us with this other problem, 
we just took the Skipjack algorithm and applied it to basically a 
voice-only problem. Now, so far in the administration's review, the 
only thing that they have authorized in this FIPS, or this standard 
which is published by NIST, is for the voice and a low data rate 
application only. Where we are proceeding with Capstone, or this 
application for the Defense Department, that is strictly for govern- 
ment use, and whether it is going to be made available to the pub- 
lic and become a voluntary standard, and so on, is yet to be deter- 

Senator Leahy. I think your discussion of the Pacific battles was 
illustrative. Without going into any specific case, the hypothetical 
I used earlier today about threats from terrorist organizations — 
would you say that is a realistic hypothetical? 

Admiral McConnell. Sir, I thought Mr. Walker made a compel- 
ling argument for what is out there, and I just would highlight — 
and this is difficult for me to answer because it gets into sources 
and methods. 

Senator Leahy. Well, maybe I should ask it this way. Is it your 
estimation as one who deals with the security of this country that 
the United States, like most other Western nations, is not immune 
from terrorist threats from abroad? 

Admiral McCONNELL. No, no, sir, not at all. 

Senator Leahy. That is basically my question. 

Admiral McConnell. Not at all. 

Senator Leahy. Do you know whether foreign governments 
would be interested in importing key escrow encryption products to 
which they, not the U.S. Government, hold the keys? 

Admiral McCONNELL. Sir, this is a very interesting question and, 
in my view, when we have entered into discussions with our coun- 
terparts — we have counterpart relationships, as you are aware, and 
I would say that we in this country are probably a little further 
along in the decision process than some of our allies. 

You used an example earlier, if you wanted to import cryptog- 
raphy into France, and I found it very interesting that you used 
France as your example because you can't import cryptography into 
France. When we have talked to our business partners, those that 
we deal with in the private sector, we frequently are asked, why 
can't you get my products into France? Well, the French pass laws 
that say you can't do that. They are going through this deliberation 
in the EC and in Europe and in the individual countries of Europe 
to determine how they are going to address this problem. 

I just would use a phrase that I used when we had an oppor- 
tunity to meet with the Vice President and discuss this issue and 
when we were coming to closure for decision. I said, sir, if you lis- 
ten to the argument that unexploitable encryption should be avail- 
able in this country to be exported anjrwhere we want to export it 
in the world, then you take the problem that we are attempting to 


solve in this country and make it our allies' problem. Our allies 
have problems with criminals and drug dealers and terrorists. Are 
they likely to allow U.S. firms to import cryptography into their 
country that would shut out their law enforcement abilities? So 
these questions are very difficult. They are incredibly complex, and 
we are going through that process. I don't know exactly how it will 

come out. 

Senator Leahy. Have we had governments that have asked us, 
if we go forward with this, to work out a deal to share keys with 


Admiral McCONNELL. There are discussions with my counter- 
parts and there are discussions at the law enforcement level. How 
it will turn out I can't forecast, but I would say that the objective 
of some of the various participants in the discussion is, if there is 
a law enforcement problem involving a foreign country and this 
technology is used, to work out some process that could help con- 
tribute to solving that law enforcement problem. 

One of the things I worry about is this is exportable by an Amer- 
ican by his own use. Now, he may not be permitted to use it in 
some given country because of the laws of that country, but he will 
be able to use it in other places. What I worry about is how do I 
ensure the privacy of that American who is in a foreign country. 
So these are very difficult questions that we will have to work our 
way through. 

Senator Leahy. But then we could have the possibility of these 
keys being in countries other than our own. 

Admiral McConnell. Yes, sir, we could. 

Senator Leahy. How does a country like France address the 
question that if they prohibit encryption devices or encryption pro- 
grams that they may be just closed out of the whole information 
superhighway entirely? 

Admiral McConnell. Currently, the information superhighway 
is not encrypted, and that is what 

Senator Leahy. But I mean if somebody used Pretty Good Pri- 
vacy, for example, on there, it is encrypted. 

Admiral McConnell. Yes, sir. 

Senator Leahy. I mean, if you have got somebody sitting on the 
outskirts of Paris who clicks on to the Internet and if he uses Pret- 
ty Good Privacy to encrypt his message and send it to somebody 
in San Diego, CA, it is there. 

Admiral McConnell. Yes, sir. The laws, as they have been ex- 
plained to me, in France are that you cannot import, export or do- 
mestically produce encryption without government approval. 

Senator Leahy. So, that person would be in violation of the law? 

Admiral McConnell. That person would be in violation of 
French law in that specific instance. Now, cases are made that this 
technology is available around the world, it is on Internet, it flows, 
and so on. 

Senator Leahy. Especially with the EC and worldwide trade, you 
can have companies who have got a branch in France and Italy, 
Ireland, the United States, Canada, Mexico, and Argentina. They 
may be constantly sending material back and forth, everything 
from E-mail to specs and diagrams and blueprints, and want to 


encrypt it all. Doesn't a country like France get into an impossible 
situation if they are suddenly cut out of that loop? 

Admiral McCoNNELL. Yes, sir, you can make that argument. So 
far, it hasn't gotten to that point. My choice, of course, would be 
if it is possible for key escrow standards to be established in a way 
that we can work it out with our allies, and so on, and that pro- 
tects each person's equities. We don't really know where this is 

I want to address the point that was made earlier by one of the 
preceding witnesses about the availability of these products. Sir, I 
don't deny that you can put something on Internet and it will flow, 
but I do a market survey of the globe every day, 24 hours a day, 
and what I can report back to you is, as a practical matter, for the 
kinds of things that are interested in from a foreign intelligence as- 
pect there is not widespread use of some of these things. 

Does that mean that there will not be widespread use in the fu- 
ture? We are judging human behavior, so we don't know exactly 
how that is going to turn out, but of the products that have been 
available to us to examine, they are not all as they have been ad- 
vertised to be. Now, that is a cute way of saying the real answer 
is classified and I will discuss it with you at a later time. The argu- 
ments being made in public I have difficulty refuting because what 
I know is at a classified level. 

Senator Leahy. Well, we are going to go shortly into that part 
of the hearing, but let me ask you this. What if the key escrow 
encryption chip — say, the Clipper Chip — is not widely accepted on 
a voluntary basis? Now, I understand some of the things that are 
being done to make it more acceptable, such as the government 
buying and the cost going down, and so on and so forth. Would the 
intelligence and law enforcement agencies recommend that all 
encryption systems — DES, Pretty Gk)od Privacy, whatever else- 
have a key escrow feature, with the government holding a dupli- 
cate set of the keys? 

Admiral McConnell. On a mandatory basis? 

Senator Leahy. Yes. 

Admiral McCONNELL. That is not the intent of the administra- 

Senator Leahy. Well, would that suffice in order to allow expor- 

Admiral McConnell. Currently, there are products exported 
from the country that do not have escrow key. As a matter of fact, 
the vast majority of those who desire export 

Senator Leahy. They are not as good either. 

Admiral McConnell. No, sir. That is correct. Skipjack is no triv- 
ial algorithm. I mean, if you were to attack this — ^as it has been 
described earlier, as you run something to exhaustion and if it is 
robust — if you were to attack it, I mean you are into not hundreds, 
but thousands of years before you could ever run it to exhaustion. 

Senator Leahy. Well, let us think of it another way. Suppose you 
have got a Clipper Chip the Key Escrow System and everything 
else, and somebody double encrypts it, say, using DES. Can you tell 
from looking at the cipher, the encrypted text, whether the under- 
lying message was encrjrpted? 

Admiral McConnell. It would be difficult. If one were to use 


Senator Leahy. In other words, I am asking you if double 
encrypting can defeat Clipper Chip. 

Admiral McCONNELL. Yes, sir, it clearly could, but there would 
be no advantage to using Clipper and, let us say, DES, for example. 
You would just use DES. Assuming that you were a criminal and 
the government held the keys, getting through Clipper you would 
still have the same level of protection, which is a 56-bit key, a ro- 
bust algorithm known as DES. 

Senator Leahy. Let me ask you about the family key. Every Clip- 
per Chip has the same family key programmed into it, if I under- 
stand it correctly. It is used by law enforcement to decode an inter- 
cepted serial number or the identifier that is at the beginning of 
each encrj^ted conversation. 

Now, if somebody got unauthorized access to the chip family key, 
can they do anything with that? For example, can they keep track 
of communications traffic back and forth between a particular chip? 

Admiral McCONNELL. They would be able to read the serial num- 
ber on the chip. 

Senator LEAHY. Is that about it? 

Admiral McCONNELL. Yes, sir, but that is kind of an interesting 
question, sir. With your law enforcement background, I am sure 
you are aware that if you are conducting a criminal investigation 
every phone call — records are kept by the phone company for toll- 
ing purposes, so if you are a criminal investigator with a case open, 
you just subpoena those records or get the records and they are 
made available to you. So there wouldn't be any advantage to — if 
I were law enforcement, I sure wouldn't want to break the law to 
do something I could get with due course. 

Senator Leahy. But they couldn't use it to in any way decode? 

Admiral McConnell. No, sir. 

Senator Leahy. They would still need the 

Admiral McCONNELL. No, sir, and they wouldn't get any more in- 
formation than they already get in current activity. 

Senator LEAHY. Well, Admiral, unless you want to add something 
in open session, we will go over to the bubble. 

Admiral McCONNELL. No, sir. Thank you for the opportunity to 

Senator Leahy. Thank you. 

[The prepared statement of Admiral J.M. McConnell follows:] 

Prepared Statement of Vice Admiral J.M. McConnell 

Good morning. I appreciate the opportunity to discuss with you NSA's interests 
in and involvement with the Administration's key escrow encirption program and 
its decision to encourage the use of the government designed encryption 
microcircviits, commonly referred to as CLIPPER chips. These microcircuits, or 
chips, provide robust encryption, but also enable law enforcement organizations, 
when lawfully authorized, to obtain the key that unlocks the encryption. The Presi- 
dent's program advances two seemingly conflicted interests — preserving critical elec- 
tronic surveillance capabilities, on the one hand, and providing excellent informa- 
tion systems security, on the other. I will discuss the role we played in support of 
this program. I will also discuss NSA's interests, both in general and in respect to 
the President's program. 


Our role in support of this initiative can be summed up as "technical advisors" 
to the National Institute of Standards and Technology (NIST) and the FBI. 


As the nation's signals intelligence (SIGINT) authority and cryptographic experts, 
NSA has long had a role to advise other government organizations on issues that 
relate to the conduct of electronic surveillance or matters affecting the security of 
communications systems. Oxir function in the latter category became more active 
with the passage of the Computer Security Act of 1987. The Act states that the Na- 
tional Bureau of Standards (now NIST) may, where appropriate, draw upon the 
technical advice and assistance of NSA. It also provides that NIST must draw upon 
computer system technical security guidelines developed by NSA to the extent that 
NIST determines that such guidelines are consistent with the requirements for pro- 
tecting sensitive information in federal computer systems. These statutory guide- 
lines have formed the basis for NSA's involvement with the key escrow program. 

Subsequent to the passage of the Computer Security Act, NIST and NSA formally 
executed a memorandum of understanding (MOU) that created a Technical Working 
Group to faciUtate our interactions. The FBI, though not a signatory to the MOU, 
was a frequent participant in our meetings. The FBI realized that they had a do- 
mestic law enforcement problem — the use of certain technologies in communications 
and computer systems that can prevent effective use of court authorized wiretaps, 
a critical weapon in their fight against crime and criminals. In the ensuing discus- 
sions, the FBI and NIST sought our technical advice and expertise in cryptography 
to develop a technical means to allow for the proliferation of top quality encrjrption 
technology while affording law enforcement the capability to access encrypted com- 
munications under lawfully authorized conditions. 

We undertook a research and development program with the intent of finding a 
means to meet NIST's and the FBI's concerns. The program led to the development 
of two microcircuits or chips. The first was an all-purpose chip with encryption, pub- 
lic key exchange, digital signature, and hashing functions. The second contained the 
encryption function only and is intended for use in devices in which digital signa- 
ture and hashing are not needed and key exchange is provided by some means out- 
side the chip. 

Throughout the design and development of the key escrow encryption system, we 
placed an emphasis on providing for the protection of users' privacy. We focused on 
ways in which we could preserve law enforcement's existing capabilities without un- 
dermining privacy rights and protections embodied in current law. 

One of the technical solutions to these privacy concerns is the spUt escrowed key. 
All chips have been designed to be programed with their own identification number 
and a unique key that could be used to unlock the encr3T)tion. Because the chip- 
unique keys can be used to unlock the encryption, we also devised a means to spUt 
the keys and to keep each part with a different custodian. Neither part is useful 
without the other. The parts of each chip's unique key are separately escrowed with 
two trusted custodians at the time the chip is programmed. In this way, when law 
enforcement officials conduct a court-authorized wiretap and encounter this 
encryption, they can identify the chip being used and obtain the corresponding chip- 
unique key fi*om the custodians, again using the coxirt authorization. This concept 
of splitting the key into two or more parts is a sound secvuity technique which pro- 
vides a safeguard against unlawful attempts to obtain keys and illegally access pro- 
tected communications. This also provides security against the risk that a single 
custodian might lose control of the keys, making the corresponding chips wilnerable 
to decryption. 

In addition to splitting the key, the system has been designed so that the chip- 
unique key components are encrjTJted. Neither the custodians nor law enforcement 
officials know even a portion of the unique keys. The unique keys are only decrypted 
in a special device used to decrypt communications encr3T)ted with key escrow chips. 
These devices are, of course, kept under strict control to ensure they are used only 
in connection with authorized wiretaps. 

With the key escrow concept, the U.S. is the only country, so far, proposing a tech- 
nique that provides its citizens very good privacy protection and maintains the cur- 
rent ability of law enforcement agencies to fight crime. Other countries are using 
government licensing or other means to restrict the use of encryption. We have gone 
to great lengths to provide for both the privacy and law enforcement interests and 
I believe we have developed the best technical approach to date. As a result, I be- 
lieve the key escrow encryption system actually enhances privacy protections when 
you consider that most people currently use no encryption. Widespread use of CLIP- 
PER will make it easy for people to take advantage of the benefits that high quality 
encryption offers. 


nsa's interests in the key escrow initiative 

While our role in this initiative has been that of technical advisor to^ NIST and 
the FBI, we are very interested in the outcome and its impact on NSA's two mis- 
sions, information security and foreign signals intelligence. 

NSA has a mission to devise security techniques for government communications 
and computer systems that process classified information or are involved in certain 
military or intelUgence activities. In keeping with the Computer Security Act of 
1987, we also make available to NIST the benefits of our security expertise so they 
can, as appropriate, use it to promvilgate the security standards appUcable to the 
systems under their purview, i.e. federal systems that process sensitive unclassified 
information. Through our support of NIST and the promulgation of standards for 
federal systems, we advance a goal we all share— assuring that Americans have 
available to them the products they need to secure their communications and com- 
puter systems. 

The NSA Information Systems Security, or INFOSEC, organization is continu- 
ously striving to understand the threats to information systems and to devise new 
or improved methods to protect against those threats. While most of us only con- 
sider the security of our systems when there is a much publicized case of computer 
hacking or intercepted cellular calls, NSA's INFOSEC people recognize the threats 
are ever present. They possess a unique sensitivity to the nature and the extent of 
these threats, and these insights into information system vulnerabilities form the 
foundation for building information systems security products. We have appUed this 
knowledge and unrivaled cryptographic expertise for over 40 years in designing se- 
curity products for U.S. communications and information systems that I can say 
with confidence and pride, are second to none. 

Key escrow technology advances NSA's INFOSEC interests. For one thing, the 
encryption microcircuits provide excellent security, better by far than the Data 
Encryption Standard (DES). We will use these chips in products to secure informa- 
tion systems for which we are responsible. We are also pleased to see such robust 
security available for the voluntary use of all Americans. To the extent that we can 
use commercial off-the-shelf products as a basis for securing information systems 
under our purview, the cost to all users will decline. Moreover, widespread use of 
these products will enhance the interoperability of systems among all users. All of 
this is to the good of our INFOSEC interests. 

The key escrow initiative was designed to accommodate all of our interests in as- 
suring the privacy of our communications and in preserving law enforcement access 
to communications when necessary and lawfully authorized. This accommodation re- 
flects the Administrations realization of the importance of effectively managing this 
technology so as to preserve our electronic surveillance capabilities. Whether it is 
law enforcement's wiretap-derived evidence of a crime or intelligence information re- 
garding a foreign government, we as a nation use the product of electronic surveil- 
lance to assure the national security and the public safety. 

From a signals intelligence standpoint, we are only concerned with the use of 
encryption by targets of our foreign intelligence efforts. Clearly, the success of NSA's 
intelligence mission depends on our continued ability to collect and understand for- 
eign communications. Encryption, a technique for scrambhng communications so 
that unintended recipients cannot understand their contents, can disrupt our ability 
to produce foreign signals intelligence. Controls on encryption exports are important 
to maintaining our capabihties. 

At the direction of the President in April, 1993, the Administration spent ten 
months carefully reviewing its encryption pohcies, with particular attention to those 
issues related to export controls on encryption products. The Administration con- 
sulted with many industry and private sector representatives and sought their opin- 
ions and suggestions on the entire encryption export control poUcy and process. As 
a result of this review, the Administration concluded that the current encryption ex- 
port controls are in the best interest of the nation and must be maintained, but that 
some changes should be made in the export licensing process in order to maximize 
the exportability of encryption products and to reduce the regulatory burden on ex- 
porters. These changes will greatly ease the licensing process and allow exporters 
to more rapidly and easily export their products. 

In addition, the Administration agreed at the vu-ging of industry that key escrow 
encryption products would be exportable. Our announcement regarding the 
exportability of key escrow encryption products has caused some to assert that the 
Administration is permitting the export of key escrow products while controlling 
competing products in order to force manufacturers to adopt key escrow technology. 
"These arguments are without foundation. 


Many non-key escrow encryption products have long been licensed for export. 
Such products will continue to be approved for export notwithstanding the fact that 
key escrow encryption products are becoming available. Moreover, we will continue 
to review proposed exports of new encryption products and will license them for ex- 
port in any case in which the export is consistent with national interests. Finally, 
as I mentioned earlier, the Administration is in the process of implementing reforms 
of the licensing process to speed licensing and reduce the licensing burdens on 
encryption exporters. These reforms will benefit exporters of key escrow and non- 
key-escrow encryption alike. In short, we are not using or intending to use export 
controls to force vendors to adopt key escrow technology. 


In sum, I believe the President's initiative is a reasonable response to a very dif- 
ficult set of issues. It accommodates users' interests in security and the law enforce- 
ment interest to unlock encryption when lawfully authorized. The procedures for 
escrowing key are being developed to ensure the security of the devices is not com- 

fromised by the escrow system. There are, to be sure, issues to be ironed out, but 
am confident we will work out the wrinkles. 
I would be pleased to answer any questions you may have. 

Senator Leahy. The subcommittee stands adjourned. 
[Whereupon, at 12:41 p.m., the subcommittee was adjourned.] 


Additional Submissions for the Record 

Prepared Statement of Computer and Business Equipment Manufacturers 



CBEMA represents the leading U.S. providers of information technology products 
and services.! Its members had combined sales of $270 billion in 1992, representing 
about 4.5% of our nation's gross national product. They employ more than 1 million 
people in the United States. CBEMA develops and advocates public poUcies bene- 
ficial to the information technology industry in the U.S., participates in all pertinent 
standards programs worldwide, and sponsors the U.S. committees developing vol- 
untary standards, domestically and internationally, for information technology. 

CBEMA initially reacted to the President's key escrow/Skipjack 2 initiative during 
hearings in June held by the Computer System Sectuitv and Privacy Advisory 
Board to the National Institute of Standards and Technology. The CBEMA state- 
ment voiced our industry's concerns about individual privacy, the marketability of 
products, both in the U.S. and abroad, the technical difficulties of incorporating kev 
escrow/Skipjack into devices, and the cost>'competitiveness problems associated with 
key escrow/Skipjack. 

This paper further develops several of those issues and offers CBEMA's rec- 
ommencfations that will meet both law enforcement and private sector needs in the 
U.S. and abroad.^ This document neither endorses nor criticizes the concept of key 
escrow. It does, however, examine the realities of a marketplace that has evolved 
without a key escrow system and concludes that: 

• The negative implications of using key escrow/Skipjack for protecting typical in- 
formation technology applications far outweigh the potential benefits. 

• The Data Encryption Standard should be recertified. 

• An encryption strategy should be developed in a pubhc forum. 

• Sponsored research is needed to develop a software embodiment for key escrow. 

• Encryption export controls need revision. 


Each year the market for information technology equipment and related products 
becomes increasingly global. During the 1970s and early 80s the majority of sales 
by U.S. manufacturers was domestic. Today, however, between half and two-thirds 
of all sales by U.S. information technology manufacturers are to foreign customers. 

1 See appended list of members. 

2 "Key escrow" refers to the general concept; for specificity we have used the term "key escrow/ 
Skipjack" to refer to the technical embodiment currently under discussion. 

3 The viewpoint in the paper is that of vendors in a global market seeking to meet their cus- 
tomers' needs, including those of the government. Therefore, its focus is on business and eco- 
nomic implications, and it expresses no positions on the social, political or legal issues surround- 
ing the key escrow/Skipjack proposal. 



The globalization of the market for information technology products has paralleled 
a revolution in information technology use that has fundamentally changed the then 
existing modes of operation. In the 1970s and early 80s most businesses imple- 
mented large main frame computer complexes that served employees at the site or 
remote terminals connected to a single computer system. Because few of these com- 
puter systems were connected with other computer systems, most seciuity measures 
were directed at the computer site. 

Today, however, interconnected computers are the norm. Digital networks — such 
as electronic mail systems, Internet, and digital telephone system — increasingly are 
reUed upon for routine as well as sensitive communications, and security is required 
for those interconnections and for the personal computers being interconnected to 
those networks. Continuing rapid development of information technology products 
depends heavily upon wireless technology, and security will be required for commu- 
nications among these products as well. 

For the ftitiu-e we must develop processes that will support successful develop- 
ment of a National Information Infrastructure (which will in reality be global). In 
this development major concern is already focused on how to safeguard information 
on the network. 


During the evolution of information processing, encryption also gained signifi- 
cance. Although some vendors implemented their own versions of encryption, the 
Data Encryption Standard (DES) and public key algorithms (such as RSA) became 
the leading cryptographic techniques. DES is an American National Standard as 
well as a Federal Information Processing Standard (FIPS). Today a large installed 
base of devices and systems rely on DES and RSA. The banking industry, for exam- 

Ele, has its standards for interbank operations such as funds transfer based on the 
lES. Encrvption based on the DES standard also is used increasingly in over-the- 
counter software products and as an element of larger hardware and software solu- 

In the 1980s customers demanded that vendors provide products which would op- 
erate with one another. A major response to this demand was creation of the Inter- 
national Organization for Standardization/International Electrotechnical Commis- 
sion (ISO/IEC) Open Systems Interconnection (OSI) architecture, which provides se- 
curity services including encryption among its specifications. In another response, 
some vendors formed the Open Software Foundation (OSF) to help standardize im- 
plementation of fundamental software tools across platforms such as the UNIX oper- 
ating system. OSF has announced a set of network software products implementing 
the distributed computing environment (DCE) which uses the DES algorithm for 
purposes of authentication, data confidentialitv and integrity, and network access 
control. The Internet Society utiUzes both DES and RSA to provide its Privacy En- 
hanced Mail (PEM) facility. This technique is very close to that utilized in the X.400 
messaging recommendation and supported by the ISO/IEC OSI Directory standard. 
The American National Standards Institute (ANSI) standards committee for bank- 
ing, X9, has also recently adopted these techniques. In short, the infrastructure to 
support security services for business needs, e.g., electronic data interchange of 
transaction documents, health care automation and so on, is rapidly being deployed. 
A key factor in the acceptance of DES and RSA is the confidence in their cryp- 
tographic strength and overall integrity that has developed over years of public 

Demand for encryption is expected to increase more rapidly as techniques become 
more simplified. In the past, utilization of encryption was a deeply considered deci- 
sion made by user management, since employing it imposed significant costs, espe- 
cially those of key management. But simpler key management techniques have been 
developed that maintain a high level of security. One approach, for example, in- 
volves using a public key technique to deUver the DES key and DES to encrypt the 
contents for confidentiality. As an example of another approach, the DCE noted 
above generates session keys and manages the keys with total transparency to the 
user. A result of this simphfication has been the rapid evolution to using encryption 
for applications in the commercial marketplace, because encryption services may be 
included in typical information technology appUcations at a much lower cost. 

Whole new classes of application and product have been developed which incor- 
porate encryption in the product design. One example is automated teller products. 
In such systems the customer is assiu-ed of security without having to think about 
how this is achieved. Other examples of this product-design-encryption trend are 
non-repudiation and digital signature services in electronic data interchange and 
privacy enhanced mail on the Internet These newest developments indicate that 


encryption will become more, rather than less, prevalent in the future — both in or- 
ganizationally controlled environments and in stranger-to-stranger operation. 


The importance of computer secvirity has dramatically increased due to wide- 
spread deployment of distributed processing, open network highways, and greater 
interoperation of computing platforms from many vendors. To beet this challenge, 
the computer industry requires consistent cryptographic standards for algorithms, 
procedures and applications. It also requires vendor access to information regarding 
algorithms for freedom of implementation in various technologies and products. This 
access and the resulting flexibility of implementation are largely responsible for the 
success of DES and public key encryption. As a result of this evolution interested 
vendors have negotiated licenses for the use of RSA. DES licenses are available roy- 
alty free. 

Other design and cost issues emerge when the application of key escrow/Skipjack 
to wireless technologies is examined. Experience to date with cordless and cellular 
phones shows that their vulnerability to being overheard is a significant weakness. 
The cutting edge of information technology products, both personal and for the of- 
fice, rely on wireless technology. Thus, many organizational customers will demand 
encryption capability to maintain the confidentiality required for their operations. 
The vendor's margins for these devices are expected to be slim, due to fierce com- 

Sietition and savvy, cost-conscious customers. Tnus a premium will continue to exist 
or flexibility in implementation and low cost. 

Current rules-of-thumb put the final price of a component at four times its cost 
to the manufacturer. Therefore the cost of key escrow/Skipjack (currently estimated 
at $25) and its support circuitry could significantly raise a product's price compared 
to the price of the same product without this encrjrption capability. It is apparent 
that a hardware encryption method such as key escrow/Skipjack is a costly alter- 
native to software embedded encryption, even with royalties. 

For portable and personal devices there will be an additional issue raised by the 
size and power requirements of the physical embodiment. The limiting performance 
factor for such devices is battery life. Key escrow/Skipjack, then, must be designed 
to cause a very low power drain. Combining this with the restricted physical space 
available, an attractive design approach would be to use software encryption, since 
the designers typically seek to minimize the number of chips in the device. 

The requirements of hardware/software implementations and interoperability are 
two vital requirements that are not met by key escrow/Skipjack. In summary, the 
classified nature of the Skipjack algorithm creates the following problems for indus- 

1. Selection of a new, classified, unpublished algorithm for domestic commercial 
usage is counter to the need for broad interoperability and management of cryp- 
tography that is required by the customer. 

2. The choice of classified technology for commercial appUcations restricts the indus- 
try's ability to effectively and efficiently meet market needs. Since detedls are un- 
known to product developers, it is impossible to implement that capability by em- 
bedding it in systems products. With a single classified key escrow/Skipjack imple- 
mentation, this function cannot be effective in a broad range of products requiring 
cryptographic capability. Whereas published algorithms have been effectively en- 
gineered into products that range from a smart card" to a mainframe, they do not 
rely on a single technological implementation. 

3. Because the Skipjack algorithm is classified, software implementations are ex- 
cluded. In some cases encryption, while needing to be secure, does not need to be 
fast. In this environment a software implementation might be the wisest, least ex- 
pensive solution. 

4. In certain applications there is a requirement to selectively apply encryption to 
data. For example, in supporting electronic mail the address on the "envelope" 
must be in the clear, even though the "letter" is encrypted. This will be difficult 
to implement without customizing the encryption service. Since Skipjack is classi- 
fied and isolated on a chip, such customization is difficult at best. 



Implementation of key escrow/Skipjack as a standard for data in the U.S., 
through extensive government procurement, would increase costs to the Government 


by the need to design security products for which there is very limited overseas de- 
mand. Specifically, the U.S. Government's guaranteed access to communications 
made with products that incorporate key escrow/Skipjack will make the products ei- 
ther unacceptable or highly undesirable for most non-U.S. customers. Other tech- 
niques (e.g., DES) will therefore continue to be used, even though they are subject 
to restrictive U.S. export controls. The resulting fragmentation of the market will 
provide an advantage to overseas producers, who will continue to market DES-based 
and other security products both in the U.S. and abroad. 

The DES standard will continue to be used worldwide regardless of volume pur- 
chasing by the U.S. Government. The DES standard is already widely used in the 
banking industry, for commercial applications within the U.S., and by governments 
outside the U.S. Implementations are available in both hardware and softwsire; in- 
vestment in the installed base of DES applications is considerable. Consequently, 
U.S. firms will continue to be solicited to provide data encryption products based 
on DES. Some users stand to be disadvantaged commercially by implementation of 
key escrow/Skipjack. In the banking industry, for example, systems would have to 
be designed to this standard for communication with government agencies (e.g., the 
Federal Reserve); however, institutions will have to continue to maintain data com- 
munications based on both standards to serve non-U.S. financial institutions and in- 
stitutions tiiat do not communicate with the Federal Government. 

Key escrow/Skipjack is not compatible with implementations worldwide. Since 
customers demand that devices interoperate with tiie installed base to protect the 
investment they have made in hardware, software and administration of their sys- 
tems, they will be unlikely to accept devices implementing key escrow/Skipjack be- 
cause they lack the interoperability they need. 


Although the Administration's key escrow/Skipjack proposal does not specifically 
state the export control policy to be applied to this tecnnology, no discussion of 
encryption can omit the export control igsue. 

The U.S. controls all encryption products for export. Data encryption "* is con- 
trolled as a military item by the Department of State. As a matter of poUcy, a vir- 
tual embargo is in place for all exports of products containing data encryption to 
commercial customers other than banks, even to end-users located in countries that 
are America's closest alUes. This policy disregards the legitimate commercial need 
for strong encryption capability. 

Despite the fact that many types of software products containing encrjrption, par- 
ticularly those in the public domain and those that are sold on a mass-market basis, 
are beyond effective control, and also the fact that many overseas vendors are now 
offering strong encryption, the U.S. has made no significant change in its approach 
to controlling these products. As a result, U.S. companies experience a loss in poten- 
tial sales and increased corporate security risk with no commensurate benefit in 
terms of national security. 

Key escrow/Skipjack does not "cure" the fundamental problems of U.S. export con- 
trols on encryption. As the key escrow concept underlying the approach is designed 
to ensure access by the U.S. Government, products based on it will be either unac- 
ceptable or highly undesirable for most overseas customers-even in the absence of 
export controls. Thus export controls on this device are not needed or desirable. 

In the study of export control issues, CBEMA and its members have received re- 
quests to provide the "facts" proving current controls impose a serious reduction in 
U.S. company competitiveness. Our consensus analysis of the issue for the future 
is contained in this paper. Our consensus comments about the past are in our state- 
ment for the June 2 MST hearings. Ovu- members individually nave agreed to make 
available company proprietary information under appropriate arrangements to en- 
sure confidentiality. 


This paper has examined the design, interoperability, cost, potential customer ac- 
ceptance and export control problems that are obstacles to the widespread use and 
acceptance of key escrow/Skipjack. Yet CBEMA members are well aware of the con- 
cerns of the U.S. government that led to the development of key escrow/Skipjack. 
In an attempt to balance those concerns with the realities of the marketplace, 

■*We use the term "data encryption" to include all forms of controlled encryption for confiden- 
tiality. This term includes "file encryption." 


CBEMA offers the following recommendations regarding the key escrow/Skipjack 

1. CBEMA members have had much discussion regarding the implications of key 
escrow/Skipjack to the future of the information and telecommunications indus- 
tries. It is predicted that much of the previous separate technology of voice, fax 
and data will converge. Current and future multimedia personal workstations are 
examples of this convergence. In this environment the workstation will serve as 
a voice answering machine, take voice dictation, fax information from a fax 
modem and have the ability to store, manipulate and send images. Indeed, the 
confusion on the possible scope of key escrow/Skipjack was emphasized in the 
draft Federal Information Processing Standard (FIPS) regarding escrowed 
encryption (EES). This draft contained an unusual description of the scope by de- 
fining the word "data" as to include voice, fax, and computer information sent 
across telephone lines. 

Before the merger of these technologies, it was appropriate to look at each ap- 
plication and build hardware and software satisfying that specific application. Be- 
cause of this former approach, there is limited imbedded investment within gov- 
ernment and industry in telephone and telephony products used in encrypting un- 
classified voice communications. It would therefore seem that financial and oper- 
ational dislocation problems would be minimized if the use of key escrow/Skipjack 
were restricted to these traditional appUcations and its use were to remain vol- 

However, employing key escrow/Skipjack even to secure traditional telephony 
applications cpn be expected to create undesirable product design and market 
ramifications for computer and software industries due to the previously men- 
tioned convergence of these technologies. It seems inappropriate that the govern- 
ment would continue to view these as separate and distinct appUcation sireas 
when the rest of private industry is enjoying the benefits ftx>m an integrated ap- 
proach. There is tne possibility that key escrow/Skipjack could conceivably satisfy 
the need for encryption in government and commercial traditional telephony ap- 
plications if the resulting devices could accommodate the space, cost, through put 
and power constraints that are imposed by the key escrow/Skipjack devices. Such 
investments should be made with the knowledge that successful completion of 
Recommendations two through four could obsolete that investment. 

2. Key escrow/Skipjack, given present limitations, is unsuitable for applications in 
which there is an embedded oase of DES or similar capabiUty, particularly of the 
software variety. Therefore CBEMA recommends that DES be recertified as a fed- 
eral standau-d tor data communications for an additional five years. During these 
five years, government should collaborate with industry to achieve a mutually ac- 
ceptable encryption standards strategy, appUcable to all communications, i.e., 
voice and data, and narrow and broad band communications. Both DES and pub- 
lic key encryption should be considered in this effort, including the possible appli- 
cation of the concept of key escrow to these technologies. 

3. Develop an encryption strategy in a public standards forum, i.e., the American 
National Standards Institute Accredited Standards Committee on Information 
Processing Systems, X3, in the U.S., and then the International O^anization for 
Standardization/International Electrotechnical Commission Joint Committee on 
Information Technology, JTC-1, internationally, with the objective of achieving 
one or more encryption standards capable of meeting the requirements and ac- 
ceptable to all users. CBEMA strongly recommends that all relevant issues, in- 
cluding international acceptance, be considered with the specific objective of 
agreeing on one or more international standards to satisfy the public need for 
encryption for information transfer of every kind in various environments. 

4. The government has requested industry's assistance to develop a software embod- 
iment of Key Escrow/Skipjack. The government should issue a request for pro- 
posal through an agency, e.g., the Advanced Research Projects Agency, for pursuit 
of a software implementation of a strong encryption facility to be accomplished 
without compromising the facility's nature. 

5. In view of me widespread availabiUty of encryption products worldwide and the 
legitimate commercial need for encryption products, CBEMA urges that the fol- 
lowing improvements be made with regard to export controls on encryption. These 
improvements will more closely align the U.S. with COCOM poHcies and will also 
enable U.S. companies to compete internationally: 

• Software that is pubUcly available or mass market (per the internationally ac- 
cepted COCOM definition) should be decontrolled except for shipment to terror- 
ist and embargoed countries. 


• Hardware implementations of decontrolled software should be similarly decon- 

• Dual-use encryption (not specifically designed for military applications) should 
be controlled under the Export Administration Act and be subject to Depart- 
ment of Commerce jurisdiction, not controlled under the ITAR. 

• Encryption functionality cvirrently under Commerce Department jurisdiction 
and controlled under national discretion procedures should be decontrolled. 

• In view of the fact that overseas demand for key escrow/Skipjack will not pose 
any danger to the United States, enciyption functionality provided by key es- 
crow/Skipjack should not be controlled for export. 

Prepared STATEMEhrr of the United States Council for International 


The U.S. Council for International Business is pleased to submit its views on 
encryption and Clipper. 


The U.S. Council represents American business positions in the major inter- 
national economic institutions, and before the Executive and Legislative branches 
of the U.S. Government. As the U.S. member of the International Chamber of Com- 
merce (ICC), the Business and Industry Advisory Committee (BIAC) to the OECD, 
and the International Organization oi Employers (lOE), the U.S. Council is the 
American business group that officially consiilts with the key intergovernmental 
bodies influencing international business. Its primary objective is to promote an 
open system of world trade, finance, and investment. 

The Need for an International Encryption Policy 

The U.S. needs a comprehensive encryption poUcy that provides security for com- 
munications. Such an encryption policy should preserve the right of privacy for busi- 
ness and individuals in voice and digital communications transmissions. At the 
same time, we recognize the government's legitimate interest in accessing telephone 
communications for law enforcement and national security reasons. We therefore 
support the U.S. Administration's directive to Government agencies to develop a 
comprehensive encryption policy, as announced one year ago on April 16, 1993. 

An encrjrption policy, however, is not solely a domestic issue. 'The presence of an 
internationally accepted encryption policy is essential, as companies operate in a 
global marketplace. International businesses are demanding seamless webs of com- 
munications networks whereby information can flow in a free and secure manner. 
Today secure communications are critical to intra- and inter-corporate communica- 
tions and transactions, as hackers, criminals and unauthorized parties find increas- 
ingly sophisticated tools to violate the privacy and security of communications sys- 
tems. Companies need effective, internationally accepted cryptographic standards 
for secure communications and digital signatures to conduct their operations. Al- 
though highly technical in nature, such standards could have a profound effect upon 
the competitiveness of U.S. manufacturers and users of products with encryption 


The Executive Branch's announcement in April 1993 of its encryption initiatives 
raised great concern among U.S. businesses. Since these initiatives (Clipper and 
Capstone) do not employ internationally accepted standard technologies and edgo- 
rithms, business will be forced to employ dual systems in order to ensure secure 
communications on a global scale. Implementation of these initiatives will represent 
significant cost to American industry in equipment, software, and other resources. 

The U.S. Council's concerns over the Administration's initiatives were expressed 
in a December 16, 1993 letter to Secretary of Commerce Ronald H. Brown and a 
March 3, 1994 letter to Vice President Albert Gk)re. In our letter to Vice President 
Gore, we said that despite the overwhelming negative public response, the Clipper 
initiative was still being advanced. Recently, there have been presentations given 
and press coverage on a new encryption initiative known as Tessera which imple- 
ments the Capstone chip. Since Tessera has the same fundamental attributes as 
Clipper, our concerns, as explained below, also apply to Tessera. 


As a voice of business, representing large users and vendors of encryption sys- 
tems, the U.S. Council would like to concentrate its comments on Clipper on three 
issues of great concern to its members: 

(1) competitiveness, 

(2) cost to users, and 

(3) UabiUty. 


To be competitive in the global marketplace, U.S. companies must be able to sell 
and integrate into their products, systems that are freely exportable and desirable 
to users worldwide. Multmationals need secure communications so they can interact 
not only with their offices but also their suppUers and customers worldwide. For ex- 
ample, in order for financial institutions to be competitive they must use encna)tion 
systems, for banking and non-banking applications, that are acceptable worldwide 
so thev can communicate with other financial institutions and their customers 
around the world. The competitiveness of U.S. companies can be approached from 
two separate, yet interrelated aspects: 

(a) Foreign desirabiUty for chip devices, and 

(b) Current export restrictions. 

a. Foreign desirability of the key escrow chip 

It is unlikely that foreign buyers, especially foreign governments, will want a sys- 
tem developed by the U.S. Government, whereby the U.S. Government holds, or has 
access to, the keys. Foreign import controls and regulatory requirements for 
encryption systems present yet another impediment to the foreign sales of CUpper. 
While there are few obstacles to sales of U.S. encryption products in most foreign 
countries, some countries require ftiU disclosure of the algorithm or demand that the 
manufacturers or users deposit the key with the proper authorities. Clipper contains 
a classified algorithm so it cannot be registered in countries that require disclosure 
of the algorithm. As the U.S. Government is the holder of, or has access to, the key, 
a user of CUpper could not deposit the key and it is not known whether the Govern- 
ment will comply with this requirement. Therefore, it seems unlikely that Clipper 
could be sold in countries that have such requirements. 

b. Current export controls 

The competitiveness of U.S. companies has suffered long enough under current ex- 
port control restrictions. DES and RSA use algorithms that are unclassified, widely 
available around the world, internationally-accepted, implementable in hardware 
and software, and, most importantly, secure for communications. These encryption 
systems have been under, and are continually subject to, pubUc scrutiny. As such 
they have stood the test of time; there have not been any proven successful attempts 
to break DES or RSA. By protecting economic interests, DES and RSA enhance na- 
tional security. 

Although DES and RSA are widely available and used around the world, they are 
subject to export control restrictions. Non-U.S. vendors produce and sell these sys- 
tems in foreign countries where U.S. companies are prohibited from selling because 
of U.S. export controls. Other encryption systems, based on less powerful algorithms 
(RC2 and RC4), can be exported on a fast-track export licensing approval process. 
These weaker systems, however, are less desirable to users of encryption systems. 
Multinational corporations need to communicate, in a seciire manner, with their 
vendors and customers around the world and should not be prohibited from using 
the most secure system available. These weaker systems are also less appealing in 
the international market because foreigners can produce and use the more powerful 
DES and RSA systems. Moreover, because many foreigners are not subject to the 
strict export controls that exist in the U.S., non-U.S. manufacturers can sell within 
their own country and to other countries, where U.S. companies cannot compete. 
Our competitiveness will only worsen if existing restrictions continue while foreign 
capabihty to provide and use powerful encryption systems increases. The logic be- 
hind continuing such strict controls on certain U.S. exports, which have wide foreign 
availability, seems flawed and therefore such controls should be aboUshed. 


There are also substantial operational and administrative costs associated with 
CUpper. Since Clipper does not interoperate with other encryption systems such as 
DES, RSA, RC2, and RC4, users will face an additional cost of acquiring the device 


that contains the Clipper chip. Although the chip itself is relatively inexpensive (ap- 
proximately $25 per chip), the cost of implementing it into existing communications 
systems, or in addition to current systems, will be substantial. The cost to buy the 
device that contains the Clipper chip will be many times more than the chip itself 
Given the substantial investment already made in the installed base of DES and 
RSA products, the cost to buy additional and different devices is large. Moreover, 
this is an additional cost that many businesses will essentially be forced to absorb. 
Corporations that communicate with U.S. Government agencies that use Clipper 
will also have to use Clipper and thus absorb the costs. 

The administrative costs, such as key management^ to support differing 
encryption systems are also substantial. When kev management is implemented for 
only one encryption system, the cost can be held to a minimum. If users need to 
implement several key management operations, supporting different encryption sys- 
tems, the costs will be significant. 


Lastly, the U.S. Council is very concerned about the issue of liability. Since Clip- 
per is a hardware-based device through which information is encrypted, a com- 
promise of the key will destroy the security of the system and all data contained 
therein. It is unclear how a company would know if the key has been compromised, 
who is liable, and who should bear the cost of replacement. Moreover, the con- 
sequential damages resulting from a breach in seciuity might be tremendous and 
possibly unrecoverable. In DES and RSA systems, the user selects his own key; 
therefore, the keys are not susceptible to being compromised beyond the user's own 
control. In the case of Clipper, tne main keys are assigned during manufacturing, 
are not changeable by the user and are escrowed with designated agencies. Even 
though the Gk)vemment is responsible for developing and holding, or having access 
to, the keys, it has stated that it would not be liable for any compromise of the keys. 


Any encryption policy should be based on an algorithm that is unclassified, 
implementable in hardware and software, and useable in interconnected networks 
that are defined by toda3r's global economy. The preferred approach is to use algo- 
rithms that are standards (i.e., DES and RSA) and which can be used for digital 
signature, message authentication, encryption, and key management where the key 
management system is controlled by ite user. Moreover, the encryption system 
should neither be subject to export control restrictions nor incompatible with exist- 
ing encryption systems used worldwide. The U.S. Government and the private sec- 
tor should work together in an open forum to develop an acceptable encryption pol- 
icy. Our efforts should be coordinated with foreign governments, international insti- 
tutions, and the international business community to develop a global encryption 

Crypto Poucy Perspectives 

by Susan Landau, Stephen Kent, Clint Brooks, Scott Chamey, Dorothy Denning, 
Whitfield Diffie, Anthony Lauck, Douglas Miller, Peter Neumann, and David Sobel 

On April 16, 1993, the White House armounced the Escrowed Encryption Initia- 
tive, "a voluntary program to improve security and privacy of telephone communica- 
tions while meeting the legitimate needs of law enforcement." The initiative in- 
cluded a chip for encryption (Clipper), to be incorporated into telecommunications 
eqviipment, and a scheme under which secret encryption keys are escrowed with the 
government; keys will be available to law enforcement officers with legal authoriza- 
tion. The National Security Agency (NSA) designed the system and the underlying 
cryptographic algorithm SKIPJACK, which is classified. Despite substantial nega- 
tive comment, ten months later the National Institute of Standards and Technology 
approved the Escrowed Encryption Standard (EES) as a voluntary Federal standard 
for encryption of voice, fax, and computer information transmitted over circuit- 
switched telephone systems. 

Underlying the debate on EES are significant issues of conflicting pubUc needs. ^ 
Every day, millions of people use telephones, fax machines, and computer networks 

^EES is primarily for use with telephones and fax machines, but this report also addresses 
the expected extension of escrowed encryption to a broader context than the present Federal 


for interactions that used to be the province of written exchanges or face-to-face 
meetings. Private citizens may want to protect their communications from electronic 
eavesi-oppers. Law enforcement seeks continued access to criminals' communica- 
tions (under legal authorization). In order to compete in the global marketplace, 
U.S. manufacturers want to include strong cryptography in their products. Yet na- 
tional-security interests dictate continued access to foreign intelligence. Both the 
EES and the controversy surrounding it are but the latest and most visible develop- 
ments of a conflict inherent in the Information Age. Electronic communication is 
now an unavoidable component of modem life. 

Many times a day people transmit sensitive data over insecure channels: reciting 
credit card numbers over cellular phones (scanners are ubiquitous), having private 
exchanges over E-mail (Internet systems are frequently penetrated), charging calls 
from airports and hotel lobbies (our Personal Identification Numbers (PINs) are eas- 
ily captured). The problem is magnified at the corporate level. For several years in 
the mneteen-seventies, IBM executives conducted thousands of phone conversations 
about business on the company's private microwave network — and those conversa- 
tions were systematically eavesdropped upon by Soviet Intelligence agents. 

IBM's situation is not unique. Weak links exist throughout electronic communica- 
tions, in networks and in distributed computer systems. Often the vulnerability of 
communications allows system penetration. Computer systems can be a weak link. 
Deceptive communications can easily undermine users' confidence in a system. For 
example, a group of students at the University of Wisconsin forged an E-mail letter 
of resignation from the Director of Housing to the Chancellor of the University. 
There can be denials of service because of altered or jammed communications; "video 
pirates" have disrupted satellite television programs a number of times. 

Over the past five years thousands of mainframe computers have been replaced 
by networked distributed computing systems. This process is accelerating, and that 
change will only increase the importance of secvu-e electronic communications. The 
National Information Infrastructiu-e (Nil), the "information superhighway", wiU 
have an even greater effect. Businesses will teleconnect with customers to sell and 
bill. Manufacturers will electronically query suppliers to check product availability. 
Insurance companies, doctors and medical centers will carry on electronic exchanges 
about patient treatment. The emerging technologies of the Information Age are rev- 
olutionizing the ways in which people exchange information and transact business. 
Much of the information being sent on the Nil will be sensitive. Protecting confiden- 
tiality, authenticity and integrity in the information infrastructure is extremely im- 
portant to economic stability and nationad security. 

How can communications security be achieved? A very important part of the solu- 
tion is cryptography. Cryptography was once the domain of generals and small chil- 
dren, but the advent of the Information Age has sharply increased the public's need 
for it. Cryptography can help prevent penetration from the outside. It can protect 
the privacy of users of the system so that only authorized participants can com- 
prehend communications. It can ensure integrity of communications. It can increase 
assurance that received messages are genuine. 

Confidentiality, the benefit most oft«n associated with cryptography, is obtained 
by transforming (encrypting) data so that it is unintelligible by anyone except the 
intended recipient. Integrity is a security service that permits a user to detect if 
data has been tampered with during transmission or while in storage. Closely relat- 
ed to integrity is authenticity, whicn provides a user with a means of verifying the 
identity of the sender of a message. 

Over the last twenty years several strong cryptographic algorithms^ have 
emerged, including the Data Encryption Standard, or UES, and the public kev algo- 
rithms, Diffie-Hellman and RSA. DES is coming to the end of its useful Ufe with 
its key size and complexity being overtaken by improvements in speed and cost of 
computers. Because strong cryptography for confidentiality purposes has the poten- 
tial to interfere with foreign intelligence gathering, the U.S. government generally 
does not permit the export of strong cryptography for confidentiality purposes. 
Strong cryptography can also impede electronic surveillance by law enforcement. Yet 
the U.S. private sector, from bankers to the future users of the Nil, needs strong 


The Escrowed Encryption Standard (EES) was proposed as a solution to these 
conflicting problems, by making available strong cryptography while providing a 

2 Strong cryptographic algorithms are ones which are exceedingly difficult to break by attacks 
including exhaustive search over the entire key space. 


mechanism through which law enforcement could access encrjrpted communications. 
But EES raises problems of its own: ' 

(i) Many are uncomfortable with a cnmtographic scheme in which the pri- 
vate keys of users are available to the u!S. government, 

(ii) Many distrust a scheme where an algorithm for pubUc use is classi- 

(iii) Foreign buyers may be unwilling to purchase products that imple- 
ment the EES, and 

(iv) The algorithm is available only in hardware form, increasing costs 
and decreasing flexibility. 

In 1975, the United States proposed DES for the protection of "sensitive but un- 
classified information" by government agencies. DES, which was designed by IBM, 
and adopted as a Federal Information Processing Standard (FIPS) in 1977 (in the 
same series that now includes the EES). It is a private or single-key system and 
the key used to protect communications between two parties must be known to both 
parties and kept secret from everyone else. 

At the time DES was proposed, it enjoyed a period of controversy in which its 
keys were characterized as too small and other weaknesses were suspected. Despite 
this, DES has proven remarkably resistant to public attacks. 

At about the same time, academic researchers developed a family of cryptographic 
techniques that became known as pubhc-key or two-key cryptography. One ap- 

K roach, proposed by Ralph Merkle at Berkeley and refined by Whitfield Diffie and 
lartin Hemnan at Stanford allowed two parties to negotiate a common secret piece 
of information over an insecure channel. Another, proposed by Diffie and Hellman 
and realized by Ron Rivest, Adi Shamir, and Leonard Adleman of MIT, made it pos- 
sible to use a key that was not secret (a public key) to encrypt a message that could 
only be decrypted by a particular secret key. Conversely, a message transformed by 
a secret key could be verified as coming from the sender by applying the sender's 
pubUc key. This second use of pubUc-key technology came to be called a digital sig- 

By 1991, the RSA system, which is based on the notion that factoring integers 
is computationally much more difficult than multiplsdng them, had become the de- 
facto standard for digital signatures. The list of licensees of RSA digital signature 
technology^ read Uke a computer industry roll-call: Apple, AT&T, DEC, IBM, Lotus, 
Microsoft, Northern Telecom, Novell, Sun, WordPerfect. 

RSA and DES provide the U.S. commercial sector with techniques for achieving 
confidentiality, integrity and authenticity; for example. Privacy Enhanced Mail 
(PEM), an Internet standard for secure E-mail, combines them to achieve security. 
However, with the exception of exporting DES for use by financial institutions or 
foreign offices of U.S.-controUed companies, the State Department typically refiises 
export hcense for confidentiality systems employing the algorithm. Despite this, 
DES is beheved to be the most widely used ciyptosystem in the world, except per- 
haps scramblers used for pay-television. In the United States, the American Bank- 
ing Association recommends DES whenever cryptography is needed to protect finan- 
ciS data. DES is the cryptographic scheme most often used in commercially avail- 
able secure telephones. 

The export system presents a problem for U.S. industry, all the more so since 
DES is widely available outside the United States. A March 1994 study by the Soft;- 
ware Publishers Association lists thirty-three foreign countries with 152 cryptog- 
raphy-based products using DES. 


A brief look at communication systems explains the importance of cryptography 
in achieving security. Telephony is an excellent example. The only way to provide 
a secure voice path between two telephones at arbitrary locations is to encrypt the 
words spoken into one and decrypt tnem as they come out of the other. Public-key 
cryptography makes it possible ior the two phones to agree on a common key known 
only to them without the mediation of a trusted third party. The users simply estab- 
lish the call, push a button, and wait a few seconds for the phones to make the ar- 

In the simplest systems, the users must rely on voice recognition to assure au- 
thenticity, just as with unsecured phone calls. If the system must provide authen- 
tication to users who do not know one another, some central administration is re- 

3 RSA is patented in the U.S. 


quired to issue cryptographic credentials by which each phone can recognize the 

other. I.- J 

Currently, secure telephones are expensive. In addition to the cryptographic de- 
vices, a seoire phone must include a voice digitizer to convert speech to a form in 
which it can be encrypted and a modem to encode the digitized signal for trans- 
mission over the phone Une. As a result, the least expensive secure phones cost over 
a thousand dollars apiece. 

Securing communications for computers in a distributed system presents different 
problems. There is no analogue of voice recognition. If authentication is to be avail- 
able, it must be done by formal cryptographic procedures. This requires the comput- 
ers to identify people or machines through long-term keys. The relationship between 
telephones, even secure telephones, is conceptually simple: they set up calls and 
transmit sound. The relationship between computers in a distributed system is con- 
siderably more complex: machines routinely share files and execute programs for 
each other. These wedded interactions compUcate the process of protection and 
make computer break-ins difficult to prevent. 

Systems owners are typically unwilling to make substantial investments in hard- 
ware or software for security purposes, although they may be willing to pay some 
premium for products that contain integrated security features. Many vendors see 
software as the least expensive means of adding cryptographic security features to 
their products. 

A secure mail system like PEM is the workstation analogue of a secure telephone; 
it encrypts and decrypts mail so the user can correspond privately. Unfortunately, 
a software implementation of PEM is vulnerable to penetration of the program in- 
cluding the compromise of its long term keys. One of the ways in which such pene- 
trations occur is through the implanting of modified programs or other data into the 
user's working environment. Without trustworthiness, cryptography embedded in an 
appUcation or in the operating system is no panacea. 


Technology causes a constant rearrangement in the relationship between the 
criminal and the law. The advent of telecommunications enabled criminals to exe- 
cute their plans more covertly. Once law enforcement learned how to listen in, offi- 
cials could do so without placing themselves in danger. Wiretapping is a tool that 
diminishes the value of communications to criminals cryptography potentially 
counters this. 

Current wiretap law dates from the 1968 Omnibus Crime Control and Safe 
Streets Act; Title III of the Act established the basic law governing interceptions in 
criminal investigations. In 1978 the Foreign InteUigence Surveillance Act estab- 
lished the national-security counterpart to Title III, authorizing electronic surveil- 
lance for foreign intelligence. 

Title III requires a court order for the installation of a wiretap (as do most FISA 
intercepts). For Title III orders there must be probable cause to believe that the tar- 
geted communications device — whether phone, fax, or computer — is being used to fa- 
cilitate a crime, which must be one of those enumerated by the law. Thirty-seven 
states also have statutes authorizing wiretaps; by law, the state requirements must 
be at least as restrictive as the Federal statute. 

Since 1968, when Title III was passed, there have been approximately nine hun- 
dred Federal and state wiretaps annually. In data released by the Administrative 
Office of the U.S. Courts, between 1968 and 1992, the average annual number of 
incriminating conversations intercepted has remained between two and four hun- 
dred thousand. In 1992, the average cost of installing a wiretap and subsequently 
monitoring it was $46,492. 

The law enforcement community views wiretaps as essential. Such surveillance 
not only provides information not obtainable by other means, it also yields evidence 
that is considered extremely reliable and probative. According to the FBI, organized 
crime has had severe setbacks due to the use of wiretap surveillance. The FBI be- 
lieves the tool is critical for drug cases. Wiretapping is an important investigative 
technique in cases of governmental corruption and acts of terrorism. 

The importance of wiretap surveillance was the reason for the Digital Telephony 
Proposal, which was developed by the FBI and submitted to Congress in 1992. To 
ensure that the government's abiUty to intercept communications is not curtailed by 
the introduction of advanced digital switching technology, this proposal requires 
providers of electronic communication services to design their switches accordingly. 
Major members of the computer and communications industries, including AT&T, 
Digital, Lotus, Microsoft and Sun, strongly opposed the proposal, and there were no 


Congressional sponsors. A revised proposal was recently submitted for consider- 

The Digital Telephony Proposal concerns access to communications, but law en- 
forcement is also concerned about its ability to understand those communications 
after interception. Off-the-shelf encryption technology may be an easy way for 
lawbreakers to foil criminal investigative work. Members of the law-enforcement 
community view EES as a solution that provides the public with strong cryptog- 
raphy while not compromising investigators' ability to comprehend legally inter- 
cepted communications. 


Foreign access to cryptography of even moderate strength poses a problem for 
U.S. intelligence. Those who think about vulnerabilities from the viewpoint of secu- 
rity typically regard strong encr3rption of each message as the only barrier to com- 
munications intelligence. However, a message cannot be analyzed until it has been 
located. Locating u\e traffic of interest is as important a problem as any. Even 
encryption tihat is too weak to resist concerted attack can multiply the cost of 
targeting traffic several-fold. 

The growth of communications intelligence in this century has been accompanied 
by a similar growth in techniques for protecting communications, particularly crjrp- 
tography. Nonetheless the communications intelligence product is now better than 
ever. In the recent past, there has been migration of communications from more se- 
cure media such as wirelines or physical shipment to microwave and satellite chan- 
nels; this migration has far outstripped the appUcation of any protective measures. 

But while the United States may be the greatest beneficiary of communications 
intelligence in the world today, it is also its greatest potential prey. The protection 
of American communications against both interception and disruption is vital to the 
security of the country. 

When DES was adopted as a government standard in 1977, cryptographic protec- 
tion of substantial quality became available in both hardware and soft-ware pack- 
ages. With hindsight, some in the intelligence community might consider the pubUc 
disclosure of the DES algorithm to have been a serious error. DES-based equipment 
became available throughout the world; cryptographic principles revealed by study- 
ing the algorithm inspired new cryptographic designs; and DES provided a training 
ground for a generation of public cryptanalysts. 


National-security experts argue that export control is essential if the U.S. is to 
protect its communications without affording protection to the rest of the world. Ex- 

fort-control policy seeks to limit foreign accessibility to strong cryptography, 
nternet availability of strong cryptography notwithstanding, many security experts 
believe that the export control policy is working. They argue that foreign organiza- 
tions that are concerned about protecting their information from sophisticated inter- 
cept are not likely to download an encryption program from the Internet. Others 
disagree, and believe that the only real effect of present export-control policy is to 
ship U.S. jobs overseas. Many complain that export control has had a chilling effect 
on American business by making Lf.S. products less competitive. 

Export-control policy on cr3T)tography has complicated development of secure sys- 
tems. An example is provided by the Digital Equipment's Distributed System Secu- 
rity Architecture (DSSA), which DEC spent many years and many millions of dol- 
lars developing. In planning the system, Digital sought to make a product which 
would pass government export controls for cryptography. In particular, in designing 
DSSA Digital engineers carefully separated authentication from confidentiality. 
They began building two distinct versions of the product, a domestic one with au- 
thentication and confidentiality, and one for export, with authentication only. This 
additional complexity slowed the work. A Digital senior manager familiar with the 
program asserted that the delays associated with attempts to meet export restric- 
tions were a significant factor in Digital's decision to abandon DSSA. 

Cryptography is not the only American product subject to export control. Striking 
a balance between economic strength (by opening markets for U.S. companies), and 
protecting national security (by restricting the sale of military technology) requires 
making complex choices. What differentiates this conflict from, say, the exportability 
of supercomputers, is that equivalent cryptographic products are available for sale 
internationally. Opponents of cryptographic export controls argue that U.S. vendors 
are penalized while cr3T)tographic products proliferate. Proponents of these controls 
argue that the most serious tnreat to foreign intelligence gathering comes not from 
stand-alone products that constitute most of the market, but from well-integrated, 


user-friendly systems in which cryptography is but one of many featiires. From this 
perspective, it is essential to control export of the commodity, desktop hardware and 
software with integrated cryptography. The U.S. is the pre-emininent suppUer of 
such products. 

National-security experts have argued that removal of U.S. export controls on 
cryptography would result in the imposition of foreign import controls; they point 
to France, which does not permit the use of encryption without governmental reg- 
istration of the algorithm. In recent years, the policy of the U.S. government is to 
oppose trade restraints, so this contention; something of an about-face. It is specula- 
tive. At present, no Western European governments other than France restrain the 
import of cryptographic products, and only a few Asian governments do so. 

The EES may have an indirect impact on the export of computer eqviipment. Ex- 
port of key-escrow equipment will be permitted, but both the secrecy of the algo- 
rithm and the U.S. government's possession of keys may dampen the enthusiasm 
of prospective foreign buyers. In order to build products for both the domestic and 
export markets, computer vendors might need to support two sets of cryptographic 


If law enforcement and national-security interests argue against the availability 
of strong crjrptography without key escrow, other traditions of the U.S. argue 
strongly in its favor. The right to privacy, the "right to be left alone" is fundamental 
to American life. Civil libertarians view the availability of strong cryptography as 
necesseiry to the ability to communicate in privacy. 

Protecting American's privacy rights is a constant struggle. Private industry, in- 
cluding credit bureaus, insurance companies, and direct marketers, collects a vast 
amount of information about individuals. The proliferation of electronic databases 
has only exacerbated the problems Congress attempted to ameUorate twenty-four 
years ago, when it passed the Fair Credit Reporting Act. Despite abuses by the pri- 
vate sector, civil-Uberties groups view government abuse of privacy with much 
greater concern. In its attempt to ensure the safety of its citizens, the government 
can overstep boundaries of the rights of the individual. One does not have to look 
far back in the nation's history to find egregious examples of such abuse. 

Based on ir^ormation illegally supplied by the Census Bureau, one hundred and 
twelve thousand Americans of Japanese ancestry were put in internment camps 
during World War II. During the nineteen-sixties, the FBI regularly taped conversa- 
tions of many civil rights leaders, including Martin Luther King. The 1974 Senate 
Select Committee to Study Governmental Operations found numerous examples of 
the NSA abuse of privacy rights of private individuals. As a direct result of these 
activities, legislative, executive order and regulatory provisions were instituted with 
the intent of eliminating future such occurrences. 

Privacy rights are one of the individual's most potent defenses against the state. 
Privacy rights of the individual are embedded in the Fourth and FifUi Amendments. 
Supreme Court Justice Louis Brandeis said it eloquently in his dissent on the 
Olmstead wiretapping case, 

The makers of our Constitution undertook to secure conditions favorable 
to the pursuit of happiness. They recognized the significance of man's spir- 
itual nat\ire, of his feelings and his intellect * * * They sought to protect 
Americans in their beUefs, their thoughts, their emotions and their sensa- 
tions. They conferred, as against the government, the right to be let £done — 
the most comprehensive of rights and the right most valued by civilized 
man ♦ ♦ * 4 

Privacy, however, is not always deemed absolute. Sometimes privacy is traded for 
convenience. Americans are captvu-ed on video recordings as we shop; we leave be- 
hind electronic chronicles as we charge phone calls. We pay for milk and bread via 
an ATM withdrawal at the supermarket, and we leave a record of our actions where 
five years ago we would have left a five-dollar bill. Sometimes it is traded for safety. 
Each day hundreds of thousands of Americans pass through metal detectors to get 
on airplanes. Most people consider those intrusions of privacy well worth the assur- 
ance of greater public safety. 

* Olmstead v. United States, 277 U.S. 438, 1928, pg. 752. 



Civil-liberties groups argue that constitutional protections need to keep pace with 
new technology. Their concern is that governmental attempts to limit the use of 
crjrptography, whether through force of law, or through more subtle efforts such as 
market domination, can result in the foreclosing of privacy protection choices. 

Concern over control of crjrptography first arose when crjrptography became an ac- 
tive area of research for academia and business. There were conflicts over which 
Federal agencies would fund non-governmental cryptography research, and whether 
such work might be subject to some form of prior restraint on publication. 

In response to these difficulties, the American Council on Education convened a 
study group, which presented a set of voluntary guidelines for prepublication review 
of research papers in cryptography. The National Security Agency and the National 
Science Foundation worked out an agreement by which boui agencies would fund 
cryptographic research. Research now floiuishes in both domains. 

Several years later. President Reagan issued National Security Decision Directive 
145 (NSDD-145), establishing as Federal policy the safeguarding of sensitive but 
unclassified information in communications and computer systems. NSDD-145 stip- 
ulated a Defense Department management structure to implement the policy: the 
NSA, the National Secvuity Council and the Department of Defense. There were 
many objections to this plan, from a variety of constituencies. Congress protested 
the expansion of Presidential authority to policy-making without legislative partici- 

f)ation. From the ACLU to Mead Data Central, a broad array of industrial and civil- 
iberties organizations objected to Department of Defense control of unclassified in- 
formation in the civiUan sector. 

In 1987 Congress sought to clarify the issue with the Computer Security Act, 
which assigned to the National Bureau of Standards (now the National Institute of 
Standards and Technology, or NIST) "responsibility for developing standards and 
guidelines to assure cost-effective security and privacy of sensitive information in 
Federal computer systems, drawing on the technical advice and assistance (includ- 
ing work products) of the National Secxirity Agency, where appropriate." 

Civilian computer security standards were to be set by a civilian agency. But 
seven years later both civil-liberties and industrial groups feel NSA is more involved 
in civilian standards than the Computer Security Act mandated. They point to the 
NSA-designed digital signature standard (DSS) and the cr5T)tographic algorithm 
SKIPJACK that underUes EES. Concerns over national-security involvement in ci- 
vilian matters, as well as concerns over the government plan to escrow keys of pri- 
vate users have led such civil-Uberties groups as the ACLU and Computer profes- 
sionals for Social Responsibility to oppose EES. 


Advocates of EES claim the availability of strong cryptography will provide Amer- 
icans with better and more readily available privacy protection than they currently 
enjoy. They observe that no one will be forced to use it, and that other forms of 
encryption will be allowed. Opponents believe the potential for abuse by the govern- 
ment makes EES a danger not to be risked, and counter that if a large Federal 
agency like the IRS adopts EES, then electronic filers who choose to secure their 
transmissions may have to use EES. This would have the impact of making the vol- 
untary standard the de facto national one. 

There is no question that the market impact of the Federal government can be 
huge, although recent experience illustrates that the government's ability to influ- 
ence the computer communication market is not always successful.^ Adoption of 
EES, as a standard, voluntary or otherwise, decreases the chance there will be com- 
peting systems available. Indeed the true success of EES, as measured by law en- 
forcement's continued ability to decrypt intercepted conversations, can only come at 
the expense of (widespread use of) competing systems for seoire telecommuni- 

Proponents respond that privacy protection will be better than ever. Should the 
government illegally tap a communication, the escrowed system will leave an elec- 
tronic audit trail, and make the illegal interception easier to uncover than it is at 
present. Reminding us of the abuses of Watergate and the revelations of the Church 
Committee, civil-liberties groups contend that the NSA should not be building gov- 
ernment trap-doors into the civilian communications infrastructure. 

^ The failure of the GOSIP initiative, an attempt to mandate procurement of computer commu- 
nication protocols that conform to the 150 OSI standards, is one such example. 



Meanwhile EES presents other problems for the computer industry. The govern- 
ment's attempt to create strong cryptography that would not hinder law enforce- 
ment's abilities to comprehend legally intercepted conversations led to a hardware 
solution. Industry prefers software implementations for a number of reasons. They 
are cheaper, and they offer a flexibihty that hardware does not. 

The industry has already made substantial investments in DES and RSA solu- 
tions for secure systems. In lots of ten thousand, Clipper chips will cost approxi- 
mately $15; industry experts contend that this translates to a finished product with 
escrowed encryption capabiUties costing about sixty dollars more than one without. 
From a vendor viewpoint, hardware encrjrption provides greater secxirity but does 
so at much greater expense than software. It is not clear that prospective pur- 
chasers are wiling to pay for this increased security. 


In the full report, we discuss in detail the various policy and technical concerns 
surrounding cryptography. The problems of communications seciuity and its cryp- 
tographic solution are technical ones, but the issues are much broader. They deserve 
careful and thoughtful public debate. We raise questions here and in the full report. 
Answers will take longer. 

It took the Supreme Court nearly forty years to expound on the privacy of tele- 
phone communications. In the Olmstead case in 1928, the Supreme Court held that 
wiretapping evidence did not need court authorization. Over the next four decades, 
the Court slowly created a penumbra of privacy for telecommunications. Finally, in 
1967, in Katz versus the United States, the Court held that a phone call in even 
so public a place as a phone booth was deserving of privacy — it could not be tapped 
without prior court authorization. Computer communications differ from the tele- 
phone, but it is likely that the public's embrace of this medium will be considerably 
more rapid than the acceptance of the earlier technology. How will law and policy 
for the protection of electronic communications evolve? Is there an absolute right to 
communications privacy? 

Members of the law enforcement community believe that the widespread use of 
encrjrpted telecommunications (especially phone calls) will interfere with their abil- 
ity to carry out authorized wiretaps. Is this a problem that needs a solution? Should 
cryptographic solutions for communications security include authorized government 
access for law enforcement and national security purposes? 

What will happen if criminals use cryptography other than EES? The Digital Te- 
lephony proposal involves investment in the telephone infrastructure in order to en- 
siu-e that court-authorized wiretaps can be carried out. These wiretap capabilities 
will be less useful if communications are encrypted. What is the relationship be- 
tween Digital Telephony and EES? Will there be any future attempt to outlaw alter- 
native forms of cryptography? 

What would the success of escrowed encryption mean? Would it simply mean gov- 
ernment use of EES-type products? Or wovdd it mean a much more widespread use 
of EES products? Would it mean the availability of EES-type products to the exclu- 
sion of all else? 

We are experiencing fundamental transformations in the way that people and or- 
ganizations communicate. The very infrastructure of the nation is changing. The 
question we need to address is: How shovild we interpret the Fourth Amendment, 

The right of the people to be secure in their persons, house, papers and 
effects against unreasonable searches and seizures shall not be violated; 
and no warrants shall issue but upon probable cause * * * 

for the Information Age? 


Susan Landau is Research Associate Professor at the University of Massachu- 
setts. She works in algebraic algorithms, which has applications to cryptography. 

Stephen Kent is Chief Scientist-Security Technology for Bolt Beranek and 
Newamn Inc. For over 18 years, he has been an architect of computer network secu- 
rity protocols and technology for use in the government and commercial sectors. 

Clinton C. Brooks is an Assistant to the Director of the National Security Agency. 
He is responsible for orchestrating the Agency's technical support for the govern- 
ment's key escrow initiative. 


Scott Charney is Chief of the Computer Crime Unit in the Criminal Division in 
the Department of Justice. He supervises five federal prosecutors who are respon- 
sible for implementing the Justice Department's Computer Crime Initiative. 

Dorothy E. Denning is Professor and Chair of Computer Science at Georgetown 
University. She is author of "Cryptography and Data Security" and one of the out- 
side reviewers of the Clipper system. 

Whitfield Diffie is Distinguished Engineer at Sun Microsystems. He is the co-in- 
ventor of public-key cryptography, and has worked extensively in cryptography and 
secure systems. 

Anthony Lauck is a Corporate Consulting Engineer at Digital Eqviipment and its 
lead network architect since 1978. His contributions span a wide range of 
networking and distributed processing technologies. 

Douglas Miller is Government Affairs Manager for the Software Publishers Asso- 

Peter G. Nevunann has been a computer professional since 1953, and involved in 
computer-communication security since 1965. He chairs the ACM Committee on 
Computers and Public Policy and moderates the Risks Forum. 

David L. Sobel is Legal Counsel to the Electronic Privacy Information Center 
(EPIC). He specializes in civil liberties, information and privacy law and frequently 
writes about these issues. 




3622 C»nipus Drive. HM>port Beaoh. CA 92660 



Data users 


HalQuinley '■. 




Timc/CNN poll 

Here are the results of the latest Timc/CNN poll conducted on March 2-3, 1994. 
The survey was conducted by telephone among 600 adult Americans. The sampling 
enx)r is plus or minus 4%. 


The r)«-QnerYpti<;^n rhip Tgmmft 
(March 2-3, 1994) 


19. Which of the following do you 
fhlnkr i s more -inipnrfcant? 

Protecting the ability of police and 

other government officials to catch 

criminals by listening to phone calls 29 

(Or, ) Protecting the ability of private 

citizens to prevent anyone, including the 

police, from listening to thpir phone calls 66 

Not sure 5 

20. It has been proposed that 
a connputer chip be installed in every 
telephone, computer modem and fax machine. 
The government would be able to tap into 
these devices and listen to messages 
if a judge permits it. Do you favor or 
oppose giving the federal govemraent 
this authority? 

Favor 18 

Oppose 80 

Not sure 2 

Time/CNN rv 03/2-3/94 • -13- 


>< ' * St o «a 
O « HI # 




ihtl S HI 

* * * 

'-•-'C ««w ««« 

»««^ •*(<« wo 



































• HvAmHl «t wo ►»> 

•» ll*V«<l3« -« HO MM 


• • 





















m m » r 
^o ■»?» f*rt •**! f*'* 
no •-• t««> T<o 

• « ar « « 
c~ wo <■* «M -Jn wc 

« # « 

OlA HW «f-l 

p*r» OO 

* » •» 

Mm *^o r>ia\ 

# « « 
wak ^<* -HO 

»5 rfrl 

0% v^*^ mo 

<» # «> 

■tin nra >>(• 

<trt mo 

o ^ «• 
lor* «H ^o 
t-t- ISO 

Oct •HW r<0 
OC0 riO 

•> <» 4> 

WM N-< "O 


d « i7 


^<- VO 

« <-> * 

tnitf totti ^iH 

nS b-K "O 

• o 

»lo r->* to 


•'o or< *o 
«•> ^ ao 

K 3 sa 

g 2 6- 

4 «■ O 

t^ ». o » 




Questions and Answers 

Answers to Questions From Senator Leahy to Assistant Attorney General 

Jo Ann Harris 

Question 1. What is the number of people who will have access to the key escrow 
facilities within the Commerce and Treasviry Departments? What is the number of 
people with access to those keys that have been released pursuant to court order? 

Answer 1. To begin with, it must be understood that the key-escrow databases 
will be held in encrypted form and that the escrow agents will be incapable of 
decrypting those databases. Nevertheless, both NIST and Treasury will strictly limit 
the nimiber of individuals that have access to the key-escrow databases, with the 
objective of keeping that number to the minimvim necessary to meet the require- 
ments of thr system, including the need for a 24-hoiu- response capabihty. In each 
agency, the number of individuals with such access is expected to be no more than 
about a dozen, and, in each case, fewer than that number are expected to be in- 
volved in the chip programming process. Moreover, all such individuals will hold na- 
tional security clearances at least to the Secret level. 

We understand the second question as asking the number of persons who will 
have access to the key components at the agency to which the components have 
been released for use in conjunction with lawfully authorized electronic surveillance. 
We cannot, of course, provide a precise number of the persons at, for example, a 
field office of the Drug Enforcement Administration, who might be present when a 
key component is received from an escrow agent. In this regard, however, it should 
be remembered that the key components are stored and transmitted in encrypted 
form and that the encrypted components can only be decrypted, combined, and used 
by the decrypt processor. Therefore, the receiving law enforcement agency has no 
access to the unencrypted key. Consequently, we believe that what is important is 
not the number of persons at the receiving law enforcement agency who may lay 
eyes on an encrypted string of 80 bits, but, rather, the rigid controls over the con- 
duct of electronic surveillance that may require decryption of key escrow-encrypted 

Question 2. Can an escrow agent exercise discretion in the release of key informa- 
tion? Can they refuse an inappropriate request? 

Answer 2. The escrow agents are not in a position to exercise discretion regarding 
the propriety of releasing key components in response to properly submitted re- 
quests, because they should not substitute their judgment regarding the propriety 
of decrypting communications for the judgment of the court that has authorized the 
interception of such communications. The procedures for key component release to 
government agencies are intended to permit escrow agents to respond promptly to 
requests submitted in proper form and to maintain clear, auditable records of the 

A properly submitted request will include, among other things, identification of 
the agency and individuals making the request, identification of the source of the 
authorization to conduct electronic surveillance, and specification of the termination 
date of the authorized surveillance period. Federal agency requests for releases 
under Title III or FISA will be followed by an attorneys confirmation of authority 
to conduct electronic surveillance; State or local requests are to be submitted by the 
principal prosecuting attorney of the State or poUtical subdivision involved. A key 
escrow agent may not, of course, release a key component in response to a request 
not meeting the requirements for submission, including, for example, one that does 
not specify the source of the authorization. 

Question 3. What is the process for auditing the activities of the escrow agents 
and use of the keys? 

Answer 3. Aumting wall be possible at various stages of the process, as well as 
in retrospect. Thus, for example, after being advised of a key component release re- 
quest, the Department of Justice will make necessary inquiry to be assured that the 
relevant Federal, State or local authorities have been authorized to conduct elec- 
tronic surveillance for criminal investigative purposes, or that relevant Federal au- 
thorities have been authorized to conduct electronic surveillance under FISA. (At 
least at the outset, such inquiry will be made in all cases.) Kev component releases 
will require confirmation of receipt of the key components by the intended recipient 

The fully developed key escrow database system will provide permanent electronic 
records of transactions, particularly the details of releases of key components, with 
secure audit capabilities built in. The compliance of the key escrow agents will be 


subject to inspection, both by representatives of the Department of Justice and by 
inspection personnel within their own organizations, to verify the relationship be- 
tween each key escrow component release and a properly submitted release request 
and receipt of a certification of termination of decryption capability in conjunction 
with the end of the authorized period of electronic surveillance. 

Later versions of the decrypt processor will automatically terminate decryption ca- 
pability no later than the end of the period of authorized electronic surveillance. In 
the prototype version, decryption capabiUty is terminated manually. That termi- 
nation can easily be confirmed by physical inspection, particularly since, in the early 
stages of Uie program, the decrypt processors are expected to be centrally held. 

These methods of confuming the integrity of the system are over and above those 
procedures normally associated with electronic surveillance. For example, electronic 
surveillance logs can be reviewed to confirm that a request for key component re- 
lease truly was associated with the particular wiretap on which the requester reUed. 

Question 4. Situations have arisen where the government has created systems 
that were only supposed to be used for one purpose but have been permitted to be 
used for others. What protections are in place to make sure that the key escrow 
databases held by the escrow agents are never used for any purpose other than to 
decrypt messages piirsuant to a lawful court order? 

Answer 4. Each of the kev escrow agents administers a database that comprises, 
essentially, two groups of data: a series of chip unique ID numbers and, for each 
chip unique ID number, a string of 80 bits that is stored only in encrypted form. 
Those databases contain no personal information associated with individuals who 
may own or use devices equipped with the particular chips; hence, the key escrow 
databases are not susceptible to the kinds of misuse to which databases of personal 
information might be subject. 

Nonetheless, the Administration recognizes that it is crucial to ensure that key 
components contained in those databases are only made available to government 
agencies for use in conjunction with lawfully authorized electronic surveillance. For 
that reason, rigorous procedures for release of key components have been approved 
(copies of which are attached), and extremely strict database handling and process- 
ing technology and procedures have been implemented and are being further re- 

It should also be noted that key components will be provided requestmg govern- 
ment agencies upon their certification of authority to conduct electronic surveillance; 
their actual submission of a court order will not be necessary. 

Question 5. How will the released escrow keys be transported to the law enforce- 
ment agency requesting them? What safeguards will be used when transporting the 
escrow keys? 

Answer 5. Key components are stored and transmitted to law enforcement agen- 
cies in encrypted form; they can be decrypted and combined only within the decrypt 
processor. Thus, neither the escrow agents, nor personnel at the law enforcement 
agency, will see the actual key components. Normally, the key components will be 
transmitted electronically. Initially, for use in the prototype version of the decrypt 
processor, they will be hand-carried by representatives of the respective escrow 
agents, to be manually entered (in encrypted form) into the processor. More ad- 
vanced versions of the decrypt processor will be able to receive input of the key com- 
ponents electronically transmitted directly from the escrow facility. 

Question 6. If an escrow location is compromised, all chip data contained there 
is compromised with what could be devastating consequences for U.S. Government 
and private sector entities using security devices with Clipper Chip. Do you antici- 
pate that these locations will become targets of opportunity for any criminal or ter- 
rorist organization? What back-up or physical security measures are envisioned? If 
multiple copies of the keys are kept, does this increase the threat of compromise? 

Answer 6. The key escrow system has been designed so that knowledge of one kev 
component provides no information regarding the other key component, nor regard- 
ing the entire unique key. Moreover, the key components are themselves maintained 
in encrypted form, so that a person with access to a key component database does 
not even know the actual key components. Notwithstanding these safeguards built 
into the system, physical security of the key-escrow databases is a matter of fun- 
damental concern, and security procedures for handling and storing the databases 
take full account of that concern. The key-escrow databases are to be held under 
the kinds of protections accorded the most sensitive kinds of national security infor- 
mation. Back-up database capabilities will be maintained, so that escrow agents will 
be able to respond in a timely fashion even if the primary site is, for example, inca- 
pacitated by a fire or power outage. The back-up capabilities are subject to the same 
levels of protection as the primary systems. 


Question 7. A decrypt device will receive an electronic transmittal of the two key 
halves from the escrow agents. The decrypt device will then be able to decrypt the 
intercepted message, until the wiretap authorization ends, when it will automati- 
cally turn itself on. According to Department of Justice testimony at the May 3, 
1994 hearing, one of these decrjmt devices has been built. How many more of these 
devices do you expect to be biult? WiU the decrypt devices be maintained in the 
central secure facility? If so, who will maintain custody of the devices and how will 
they be distributed to the law enforcement agencies that need them? 

Answer 7. Termination of a decrypt processor's ability to decrypt communications 
using a particular key-escrow chip is a fundamental protection biult into the system, 
and law enforcement agencies that have received key components will be required 
to certify such termination. In the prototype model of the decrypt processor, that 
termination is effected manually; automatic termination will be available in later 

The number of decrjrpt processors that will ultimately be produced will probably 
be in large measure a function of the number of key-escrow equipped devices in use 
throughout the country and the number of times key-escrow encryption is encoun- 
tered in the course of wiretaps. For the foreseeable mture, it is likely that decrypt 
processors would be centrally held by the FBI, to be made available for use in the 
field on an as-needed basis. 

Question 8. The objective of the key escrow encryption system is to provide "real- 
time" electronic surveillance rather than recording and post-processing of targeted 
encrypted communications. How will this be accomplishea with only one decrypt de- 
vice in the event that encrypted communications are intercepted over more than one 

Answer 8. As noted in the previous question, the key escrow system is stiU in its 
beginning phases and, therefore, the number of decrypt processors is, at the mo- 
ment, necessarily limited. This condition will change over time. However, the fact 
that there is only one decrypt processor currently available does not mean that it 
can only be used in support of one wiretap at a time. The decrypt processor is capa- 
ble of holding within its memory up to one hundred keys. Therefore, while it can 
only decrypt one communication at a time, it can readily be shifted from one wiretap 
to another as needed. Even wiretaps conducted at different locations can be accom- 
modated by retransmitting an encrypted intercepted communication from the pri- 
mary monitoring location to the location of the decrypt processor. 

Question 9. The Attorney General has selected >flST and the Automated Systems 
Division of the Treasury Department as the government agencies entrusted with 
safeguarding the keys because they could handle sensitive material in computer 
form and could respond quickly to requests for the keys, 

• Is it correct that other government agencies could also satisfy this criteria? 

• Could one or both of the escrow agents be non- government, private sector enti- 

Answer 9. Of course, other government agencies could meet the requirements for 
satisfactory service as key component escrow agents. Some of those agencies, how- 
ever, might not be perceived as sufficiently independent of law enforcement or na- 
tioned security entities, or may otherwise not be considered as capable as the two 
selected agencies. 

With respect to the second question, it may not be necessary that both escrow 
agents be government entities. However, should a private entity serve as an escrow 
agent, there may be additional complexities regarding, among other things, the 
terms of any contract under which the entity serves; provisions to ensure the contin- 
ued corporate existence of such an entity; the entity's ability to accord the database 
the necessary physical security; the entity's ability to staff the system with suffi- 
cient numbers of appropriately cleared personnel; and its ability and willingness to 
respond to key component requests from all authorized law enforcement agencies, 
State and local as well as Federal. 

Question 10. Can the Attorney General change the escrow agents after the initial 
selection? How can the government be prevented from moving the escrow respon- 
sibilities to a more pUable escrow agent, if one of the agents refuses to turn over 
the keys? 

Answer 10. The Attorney General can designate an alternative escrow agent, and, 
as part of its continuing review of ways to make the system even better, the Admin- 
istration is considering whether there should be at least one escrow agent not with- 
in the Cabinet Departments. Designation of an alternative escrow agent would en- 
tail substantial complexities, not to mention considerable costs associated with es- 
tablishing the necessary capabilities in the new agency. It will not be done lightly, 
nor could it be done without a good deal of publicity. Replacement of one escrow 


agent with another would involve even greater complexities, since it would reaxiire 
the first to convey to the second its entire database to permit continviity in the nan- 
dUng and auditing of the database. 

The second question seems to hypothesize an escrow agent's refusal to release a 
requested key component, followed by a retaliatory transfer of escrow agent respon- 
sibilities to a agency deemed less likely to be recalcitrant. The short answer is that 
such a replacement, while theoretically possible, could abrogate the integritv of the 
system and would very likely undermine public confidence in it. Moreover, the Clin- 
ton Administration would not accept as an escrow agent an entity that would not 
fully comply with the protections built into the system. Indeed, regardless of the ad- 
ministration in power, the fact that such a change would be logistically very difficult 
and could only be done in a very public fashion makes it an extremely unlikely sce- 

Question 11. In explaining the procedures the escrow agents must follow to safe- 
guard the keys, the Attorney General stated "the procedures do not create, and are 
not intended to create any substantive rights for individuals intercepted through 
electronic surveillance." Does this, in effect, give the escrow agents immunity from 
Uability for mishandling the keys? Does this give the right incentives to the escrow 
agents about safeguarding the keys? What are the current available remedies for 
mishandling the keys? 

Answer 11. The language to which you refer is part of the final paragraph in each 
of the three published sets of procedures for release of key components under, re- 
spectively, Title III, the Foreign Intelligence Surveillance Act (FISA), and State 
criminal wiretap statutes. 

The language is intended to make clear that the procedures themselves do not 
create any rights for individuals whose communications have been intercepted and 
for whose devices key components have been made available to government agen- 
cies. On the other hand, neither does the language abolish any rights that may oth- 
erwise exist by statute or at common law. It is not intended to be, nor could it serve 
to immunize the Government or its agents from liability for inappropriate release 
of escrowed key components if there is some basis in law for imposing liability on 
such persons. 

In this regard, it is important to bear in mind the fundamental interest at issue; 
namely, the protection of the privacy of communications. Release of key escrow com- 
ponents to permit decryption is an adjunct to the interception of communications 
and the acquisition of the contents thereof— much like arranging for translation of 
communications occurring in a foreign language. The privacy interest in the commu- 
nication continues to be protected by the Fourth Amendment and by the relevant 
statutes— Title III, FISA, or the individual State statutes. Unauthorized electronic 
surveillance is a Federal felony offense, regardless of whether the intercepted com- 
munications are encrjrpted. 

While key components must only be released to proper recipients and under ap- 
propriate conditions, there should be no confusion about the fact that an individual's 
{)rivacy interest inheres in his or her communications. If key components are re- 
eased to a government agency entitled to intercept communications encrypted with 
a chip for which those components form the chip unique key, a departure from some 
technical aspect of the key release procedures will not — and shoiild not — render ei- 
ther the intercept or the decryption unlawful. If key components are for some reason 
released to an entity not entitled to receive them, but are not used in conjunction 
with a communications intercept, the individual will not have suffered an invasion 
of his or her communications privacy. It is not clear under what, if any, cir- 
cumstances mere release of one or even both keys might create civil liability, if that 
release does not facilitate an unlawful electronic surveillance. 

Question 12. Should the U.S. government be prepared to make a strong warranty 
to the American public about the security of the key escrow system? Could this war- 
ranty be in the form of stiff penalties for breaches of the escrow procedures and in- 
demnification for those whose chips are compromised due to failures in the security 
of the escrow system? 

Answer 12. The Clinton Administration has already given strong assurances to 
the American pubUc about the security of the key escrow system and will continue 
to do so. It is not clear whether public perceptions about key-escrow encryption 
would be materially affected by either imposition of penalties for breach of escrow 
procedures or indemnification of persons whose chips have been compromised 
through escrow system security failures. 

It may, however, be useful to make a few points regarding those possible ap- 
proaches. First, as noted in the answer to the preceding question, the privacy pro- 
tection attaches to the communication, not merely to the keys needed to decrypt 
that communication. Federal law already imposes severe penalties (both civil and 


criminal) for unlawful interception of communications, and, therefore, no additional 
penalties are needed in that regard. ^^ 

Second, some persons speak of a variety of circumstances as constituting a com- 
promise" of a key escrow encryption chip. It is not clear that mere release of key 
components for a particular chip to persons not authorized to intercept communica- 
tions encrypted with that chip necessarily means that the chip has been com- 
promised. The key components alone do not permit decryption of communications 
encrypted with the particular chip; that process requires, as well, access to a 
decryption capability. Moreover, decryption of communications requires access to the 
communications themselves, the privacy of which is subject to the protections of the 
Fourth Amendment and relevant statutes. 

Question 13. Should there be civil or even criminal liability for wrongfully disclos- 
ing any of the component keys to the key escrow chips? If not, why not? 

Answer 13. As noted in the answers to the two preceding questions, the rigorous 
statutory protections against unauthorized electronic surveillance and against unau- 
thorized disclosure of electronic surveillance already provide both civil and criminal 
penalties for the unlawful interception of communications and the unauthorized dis- 
closure of the contents of lawfully intercepted communications. (See 18 U.S.C. 
§§2511, 2517, and 2520.) Release of escrowed key components would, at most, facili- 
tate understanding of the contents of intercepted communications. An individual's 
willful or reckless release of key components in a manner not consistent with the 
operative procedures would likely be subject to administrative action. Separate 
criminal or civil penalties do not appear to be needed. 

Question 14. The Department of Justice testified at the May 3, 1994 hearing that 
no new legislation was needed to implement the key escrow encryption program. 

• Should the Justice Department be required by law to report to Congress on 
those wiretaps in which key-escrow encryption was encountered and for which 
key components were released to a government agency? 

• Should the Justice Department's new responsibilities for ensuring comphance 
with the key escrow procedures by State and local law enforcement authorities 
be codified in law? 

• Should the Justice Department be required by law to give Congress a complete 
accounting of the number, use and location of the decrypt devices? 

• Should procedures for changing an escrow agent be codified in law? 

Answer 14. The Department of Justice does not see a need for legislation to deal 
with any of these matters. For example, the Department already expects that Con- 
gress will be made aware of wiretaps in which key-escrow encryption was encoun- 
tered and for which key components were released. The Department expects to pro- 
vide such information to the Administrative Office of the United States Courts for 
inclusion in the Office's annual report to the Congress on electronic surveillance 
under Title III and State statutes. With respect to electronic surveillance under 
EISA, the Department will provide such information as part of its FISA report to 
the intelligence oversight committees. 

The Department does not anticipate difficulty with assuring State and local com- 
pliance with key component release procedures, particularly when the decryption ca- 
pability rests exclusively in the hands of the Federal Government. With regard to 
the possible accounting for deciTpt processors and their use and location, the De- 
partment does not object to providing such information to the Congress on a periodic 
basis. Finally, with regard to the selection of escrow agents, the Department be- 
lieves that legislation to govern the process by which the Executive Branch might 
select an alternative escrow agent could hamper its ability to improve the system. 
Any selection of alternative escrow agents would, like the selection of the current 
agents, be preceded by appropriate consultation with the Congress. 

Question 15. How will State and local law enforcement agencies access the key 
escrow system? Will every local Sheriff or police department that wants a decrypt 
device or the Chip Family Key get one? 

Answer 15. The procedures for releasing key components for use in conjunction 
with wiretaps under State statutes are much the same as those for release of key 
components in conjunction with wiretaps under Title III or FISA. An important dif- 
ference, however, is that requests for key components from State and local authori- 
ties cannot be submitted by law enforcement agencies; rather, they are to be submit- 
ted by the principal prosecuting attorney of the particular State or poUtical subdivi- 
sion. This not only significantly reduces the total number of entities that might 
make requests, but ensvu-es that requests are made by high-level, usually elected 
officials, of the various jurisdictions. 


As noted in the answer to an earlier question, the Administration recognizes that 
access to decrypt processors must remain carefully controlled. Among other things, 
key components will be released for use within a particular decrypt processor and 
will only be able to be decrypted and combined within that unit. Accordingly, careful 
control of the decrypt processors will contribute significantly to assurances of the 
integrity of the system. 

Law enforcement agencies will not have access to the family key other than as 
programmed into the decrypt processor. 

Question 16. Every CUpper Chip has the same Family Key programmed into it. 
When a wiretap intercepts conversations encrypted with Clipper Chip, law enforce- 
ment uses this Family Key to decode the intercepted serial number, or unique iden- 
tifier, which the targeted chip sends out at the beginning of every conversation. 
With the serial number, the law enforcement agency can get the government's dupU- 
cate set of decoding keys from the escrow agents. 

• Who has access to the Clip Family Key? Are they going to be distributed to all 
law enforcement agencies so they can quickly decipher serial numbers of chips 
that may become the target of a wiretap order? 

• Will the Chip Family Key to all Clipper Chips be protected in any way and, 
if so, how? 

• The Chip Family Key is built into the Chip when it is programmed and cannot 
be changed. In the event that someone got unauthorizedi access to the Chip 
Family Key, what could that person do with it? 

Answer 16. With respect to the first question, access to the family key is very 
closely held. The family key is the combination of two binary numbers that are inde- 
pendently and randomly generated and held, respectively, by the Department of 
Justice and the FBI. The combined family key is held under tightly controlled condi- 
tions in a dual-control safe at the programming facility for use in the programming 
process. When needed for a programming run, the family key is extracted from stor- 
age by specially designated employees of the programming facihty, in the presence 
of representatives of the escrow agents, and entered into the programmer. At the 
end of a programming run, the programmer is again cleared of the family key. In 
addition, the family kev is programmed into decryption equipment so that such 
equipment can discern the particular chip ID number when necessary. 

With respect to the question regarding availability of the family key to law en- 
forcement agencies, the foregoing explanation indicates the extraordinary limita- 
tions on access to the family key. Law enforcement agencies desirous of learning 
whether a particular communication is encrypted with key-escrow encryption and, 
if so, learning the particular chip ID number will have access to the family key only 
as programmed into the decrypt processor. This may require a particular law en- 
forcement agency not possessing such a processor to provide to an agency that does 
hold one the communications suspected of being encrypted, so that the initial deter- 
mination can be made. It should be emphasized, however, that a law enforcement 
agency's determination of whether communications are being encrypted, and of the 
ID number of the chip performing the encryption, would occur in conjunction with 
the conduct of a lawftilly authorized wiretap — not, as the question may imply, as 
part of activities preceding such authorization. 

Notwithstanding the protections afforded the family key, access to that key is of 
only minimal value to a law enforcement agency. Apart from its ability to provide 
the law enforcement agency the ID number of a particular encryption chip, the fam- 
ily key, whether or not in the decrypt processor, is of no discernible value. The fam- 
ily key provides no access to the user's encrypted communications, nor does it make 
it any more possible for the law enforcement agency to conduct electronic surveil- 
lance of either encrypted or unencrypted communications. 

Question 17. The Justice Department has assumed responsibility to "take steps 
to monitor compliance with the procedures." What steps will the Justice Department 
take to monitor comphance by state and local law enforcement authorities, who con- 
duct the majority of wiretaps, to ensure that (a) the decrypt devices are adequately 
safeguarded and are deactivated when the authorization period ends; (b) the Chip 
Family Key is adequately safeguarded and (c) communications to the escrow agents 
are authentic? 

Answer 17. The question correctly notes that the majority of criminal wiretaps are 
conducted by State and local law enforcement. If key-escrow encryption becomes 
widely used, one can infer that a significant proportion of the key component re- 
leases will be associated with wiretaps conducted under State statutes. It is, of 
course, of fundamental importance that escrowed keys are no more susceptible to 
improper use by State or local authorities than by Federal agencies. 


(a) As noted earlier, the Department of Justice expects that, for some time, 
decrypt processors will be few in number and centrally maintained and con- 
trolled. In that event, it will be relatively easy to be assured that a decrypt 
processor is not diverted to an unauthorized person and that the decryption ca- 

{)ability is terminated at the end of the authorized period of electronic surveil- 
ance. At a later time, should a State or local law enforcement agency be able 
to acqviire and hold its own decrypt processor, we expect that the decrypt proc- 
essor version will be one that will, among other things, (a) produce an electronic 
receipt for the key components transmitted to it, (b) have the capability of 
decrjrpting and combining only key components destined for that specific 
decrjT)t processor, and (c) automatically terminate its ability to decrypt the par- 
ticular encryption chip. These technical characteristics, coupled with the con- 
tinuing reqviirement that the key component request mvist come fi"om the prin- 
cipal prosecuting attorney of a State or political subdivision, will offer great as- 
surance against diversion of decrypt processors and unauthorized retention of 
decryption capabilities. 

(b) With respect to the family key, the short answer is that the family key 
will not be available to State or local authorities, save within decrypt proc- 
essors. Apart from its abihty to provide the law enforcement agency the ID 
number of a particular encryption chip, the family key, whether or not in the 
decrypt processor, is of no discernible value to that agency. The family key pro- 
vides no access to the user's encrypted communications. 

(c) Requests from State or local authorities for release of key components are 
to come, not from law enforcement agencies, but from the principal prosecuting 
attorneys of the States or political subdivisions involved. The authenticity of 
such submissions can be confirmed by contact with the principal prosecuting at- 
torney involved, which is expected to be a rather easy matter. 

Question 18. American firms are allowed to export Clipper Chip devices to non- 
U.S. customers. What procedures are contemplated or in place to deal with requests 
by foreign law enforcement authorities for access to the keys to any CUpper Chip 
device being used abroad? 

Answer 18. The Administration is according this issue careful consideration at 
this time. The Department of Justice believes that a number of important consider- 
ations would app^ to any decision on whether to comply with a foreign countr^s 
request for assistance in decryption of key-escrow encrypted communications. For 
example, it will be important to know whether American citizens are targets of the 
electronic surveillance, and it will likely be important to know the reason for the 
electronic surveillance and the circumstances under which it was authorized, as well 
as whether the United States also has an interest in the electronic surveillance. It 
should also be noted that we may be able to assist the foreign country without pro- 
viding it either decryption equipment or the key components for the particular 
encryption chip — by, for instance, decrypting the communications in this country 
and merely providing the decrjrpted text to the requester. 

Answers to Questions From Senator Pressler to Assistant Attorney 

General Jo Ann Harris 

Question 1. Why do you believe that private" manufacturers and users will pur- 
chase equipment which contains the Skipjack algorithm if that means the govern- 
ment can decode any encrypted messages, once it obtains the proper court approval? 

Answer 1. Your question rightly notes that key-escrow encryption chips use the 
Skipjack algorithm, an algorithm substantially stronger than others now in common 
use; it is, for example, 16 miUion times stronger than the Data Encryption Standard 
(DES). The strength of the Skipjack algorithm makes key-escrow encryption chips 
attractive for use oy the Federal Government in protecting sensitive unclassified in- 

Likewise, we believe that it will make such chips attractive to the private sector, 
and for much the same reason; namely, that it is a remarkably strong protection 
against intrusion by eavesdroppers or even persons or entities engaged in corporate 
espionage. Most of us recognize that we will never be the targets of wiretaps and 
we do not fear that prospect. We do, however, worry about illicit interception of ovtr 
communications, and strong encryption is excellent insurance against such activi- 

In addition, we believe that many businesses will come to recognize the value of 
strong encryption that protects their proprietary information from unauthorized ac- 
cess, out does not permit their employees to engage with impunity in criminal ac- 


tivities inimical to the firms' interest and law enforcement woxild be rendered help- 
less to investigate. 

Question 2. What types of incentives does the Administration plan to use to en- 
courage the use of the Clipper Chip? What are the future steps of implementation 
which the Administration proposes to take? 

Answer 2. Various Executive Branch agencies are considering whether, and for 
what pxirposes, they may adopt key-escrow encrjrption and make it possible for per- 
sons outside the government to use key-escrow encrjrption for conducting secure 
communications with them. The Administration is also consulting with tele- 
communications equipment manufacturers regarding possible incorporation of key- 
escrow encryption in their products. In addition, the easy exportability of products 
equipped with key-escrow encryption should prove to be very attractive both to U.S. 
manufacturers of such equipment and to their customers. 

Question 3. I understand the Administration is considering replacing one of the 
two escrow agents with a more neutral third-party, such as an entity in the Judicial 
branch or in the private sector. Which entities are being considered? What criteria 
must any prospective escrow agent have? 

Answer 3. The Administration continues to look for ways to improve the kev-es- 
crow system. The system may be perceived to improve by the designation of at least 
one alternative escrow agent. Accordingly, the Administration is considering wheth- 
er such an alternative shovild be designated and, if so, what must be done to effect 
such a designation. For example, an entity that is not part of a Cabinet Department 
may require legislative authority to serve as an escrow agent. 

In selecting escrow agents, we looked for a number of important qualifications. 
Among other things, the candidates needed to: 

• Be experienced in handling sensitive materisils; 

• Be familiar with communications and computer issues; 

• Be able to respond qmckly, and around the clock, when government agencies 
need to have encryption keys issued to them; and 

• Be generally regarded by the public as both reliable and effective. 

Answer to a Question From Senator Murray to Assistant Attorney General 

Jo Ann Harris 

Question 1. In my office in the Hart bxiilding this February, I downloaded fi-om 
the Internet an Austrian program that uses DES encryption. This was on a laptop 
computer, using a modem over a phone line. The Software PubUshers' Association 
says there are at least 120 DES or comparable programs worldwide. However, U.S. 
export control laws prohibit American exporters from selling comparable DES pro- 
grams abroad. 

With at least 20 million people hooked up to the Internet, how do U.S. export con- 
trols actually prevent criminals, terrorists or whoever from obtaining DES encrypted 

Answer 1. On the matter of export controls on encrypted software, the Depart- 
ment of Justice defers to the National Seciuity Agency, which, we understand, has 
been asked the same question. 



Authorization procedures for release of encryption key components in conjunction 
with intercepts pursuant to title Hi 
The following are the procedures for the release of escrowed key components in 
conjunction with lawfully authorized interception of communications encrypted with 
a key-escrow encryption method. These procediires cover all electronic stirveillance 
conducted pursuant to Title III of the Omnibus Crime Control and Safe Streets Act 
of 1968, as amended (Title III), Title 18, United States Code, Section 2510 et seq. 

(1) In each case there shall be a legal authorization for the interception 
of wire and/or electronic communications. 

(2) All electronic surveillance coiui; orders under Title III shall contain 
provisions authorizing after-the-fact minimization, pursuant to 18 U.S.C. 
2518(5), permitting the interception and retention of coded communications, 
including encrjrpted communications. 


(3) In the event that federal law enforcement agents discover during the 
course of any lawfully authorized interception that communications 
encrypted with a key-escrow encryption method are being utilized, they 
may obtain a certification from the mvestigative agency conducting the in- 
vestigation, or the Attorney General of the United States or designee there- 
of. Such certification shall: 

(a) identify the law enforcement agency or other authority conducting 
the interception and the person providing the certification; 

(b) certify that necessary legal authorization has been obtained to con- 
duct electronic surveillance regarding these communications; 

(c) specify the termination date of the period for which interception has 
been autnorized; 

(d) identify by docket number or other suitable method of specification 
the source of tJrie authorization; 

(e) certify that communications covered by that authorization are being 
encrypted with a key-escrow encryption method; 

(f) specify the identifier (ID) number of the key-escrow encryption chip 
providing such encryption; and 

(g) specify the serial (ID) number of the key-escrow decryption device 
that will be used by the law enforcement agency or other authority for 
decryption of the intercepted communications. 

(4) The agency conducting the interception shall submit this certification 
to each of the designated key component escrow agents. If the certification 
has been provided by an investigative agency, as soon thereafter as prac- 
ticable, an attorney associated with the United States Attorney's Office su- 
pervising the investigation shall provide each of the key component escrow 
agents with written confirmation of the certification. 

(5) Upon receiving the certification from the requesting investigative 
agency, each key component escrow agent shall release the necessary key 
component to the requesting agency. The key components shall be provided 
in a manner that assures they cannot be used other than in conjunction 
with the lawfully authorized electronic surveillance for which they were re- 

(6) Each of the key component escrow agents shall retain a copy of the 
certification of the requesting agency, as well as the subsequent confirma- 
tion of the United States Attorney's Office. In addition, the requesting agen- 
cy shall retain a copy of the certification and provide copies to the following 
for retention in accordance with normal recordkeeping requirements: 

(a) the United States Attorney's Office supervising the investigation, 

(b) the Department of Justice, Office of Enforcement Operations. 

(7) Upon, or prior to, completion of the electronic surveillance phase of 
the investigation, the abiUty of the requesting agency to decrypt intercepted 
communications shall terminate, and the requesting agency may not retain 
the key components. 

(8) The Department of Justice shall, in each such case, 

(a) ascertain the existence of authorizations for electronic surveillance 
in cases for which escrowed key components have been released; 

(b) ascertain that key components for a particular key-escrow 
encryption chip are being used only by an investigative agency authorized 
to conduct electronic surveillance of communications encrypted with that 
chip; and 

(c) ascertain that, no later than the completion of the electronic surveil- 
lance phase of the investigation, the abiUty of the requesting agency to 
decrypt intercepted communications is terminated. 

(9) reporting to the Administrative Office of the United States Courts 
pursuant to 18 U.S.C. Section 2519(2), the Assistant Attorney General for 
the Criminal Division shall, with respect to any order for authorized elec- 
tronic surveillance for which escrowed encryption components were released 
and used for decryption, specifically note that fact. 

These procedures do not create, and are not intended to create, any substantive 
rights for individuals intercepted through electronic surveillance, and noncompli- 
ance with these procedures shall not provide the basis for any motion to suppress 


or other objection to the introduction of electronic surveillance evidence lawfully ac- 

Authorization procedures for release of encryption key components in conjunction 
with intercepts pursuant to state statutes 
Key component escrow agents may only release escrowed key components to law 
enforcement or prosecutorial authorities for use in conjunction with lawfully author- 
ized interception of communications encrypted with a key-escrow encryption meth- 
od. These procedures apply to the release of key components to State and local law 
eniforcement or prosecutorial authorities for use in conjunction with interceptions 
conducted pursuant to relevant State statutes authorizing electronic surveillance, 
and Title III of the Omnibus Crime Control and Safe Streets Act of 1968, as amend- 
ed, Title 18, United States Code, Section 2510 et seq. 

(1) The State or local law enforcement or prosecutorial authority must be 
conducting an interception of wire and/or electronic communications pursu- 
ant to lawful authorization. 

(2) Requests for release of escrowed key components must be submitted to 
the key component escrow agents by the principal prosecuting attorney of 
the State, or of a political subdivision thereof, responsible for the lawftilly 
authorized electronic surveillance. 

(3) The principal prosecuting attorney of such State or political subdivision 
of such State shall submit with the request for escrowed key components 
a certification that shall: 

(a) identify the law enforcement agency or other authority conducting 
the interception and the prosecuting attorney responsible therefor; 

(b) certify that necessary legal authorization for interception has been 
obtained to conduct electronic surveillance regarding these communications; 

(c) specify the termination date of the period for which interception has 
been authorized; 

(d) identify by docket number or other suitable method of specification 
the source of the authorization; 

(e) certify that communications covered by that authorization are being 
encrypted with a key-escrow encryption method; 

(f) specify the identifier (ID) number of the key-escrow chip providing 
such encryption; and 

(g) specify the serial (ID) niunber of the key-escrow decryption device 
that will be used by the law enforcement agency or other authority for 
decryption of the intercepted communications. 

(4) Such certification must be submitted by the principal prosecuting at- 
torney of that State or political subdivision to each of the designated key 
component escrow agents. 

(5) Upon receiving the certification from the principal prosecuting attor- 
ney of the State or political subdivision, each key component escrow agent 
shall release the necessary key component to the intercepting State or local 
law enforcement agency or other authority. The key components shall be 
provided in a manner that assures they cannot be used other than in con- 
junction with the lawfully authorized electronic surveillance for which they 
were requested. 

(6) Each of the key component escrow agents shall retain a copy of the 
certification of the principal prosecuting attorney of the State or poHtical 
subdivision. In addition, such prosecuting attorney shall provide a copy of 
the certification to the Department of Justice, for retention in accordance 
with normal recordkeeping requirements. 

(7) Upon, or prior to, completion of the electronic surveillance phase of 
the investigation, the ability of the intercepting law enforcement agency or 
other authority to decrypt intercepted communications shall terminate, and 
the intercepting law enforcement agency or other authority may not retain 
the key components. 

(8) The Department of Justice may, in each such case, make inquiry to: 

(a) ascertain the existence of authorizations for electronic surveillance 
in cases for which escrowed key components have been released; 

(b) ascertain that key components for a particular key- escrow 
encryption chip are being used only by an investigative agency authorized 


to conduct electronic surveillance of communications encrypted with that 
chip; and 

(c) ascertain that, no later than the completion of the electronic surveil- 
lance phase of the investigation, the ability of the requesting agency to 
decrjTJt intercepted communications is terminated. 

(9) In reporting to the Administrative Office of the United States Courts 
pursuant to 18 U.S.C. Section 2519(2), the principal prosecuting attorney 
of a State or of a political subdivision of a State may, with respect to any 
order for authorized electronic surveillance for which escrowed encryption 
components were released and used for decryption, desire to note that fact. 

These procedures do not create, and are not intended to create, any substantive 
rights for individuals intercepted through electronic surveillance, and noncompli- 
ance with these procedures shall not provide the basis for any motion to suppress 
or other objection to the introduction of electronic surveillance evidence lawfully ac- 

Authorization procedures for release of encryption key components in conjunction 
with intercepts pursuant to FISA 
The following are the procedures for the release of escrowed key components in 
conjunction with lawfully authorized interception of communications encrypted with 
a key-escrow encryption method. These procedures cover all electronic surveillance 
conducted pursuant to the Foreign Intelligence Surveillance Act (FISA), Pub. L. 95- 
511, which appears at Title 50, U.S. Code, Section 1801 et seq. 

(1) In each case there shall be a legal authorization for the interception 
of wire and/or electronic communications. 

(2) In the event that federal authorities discover during the course of any 
lawfiilly authorized interception that communications encrypted with a key- 
escrow encryption method are being utilized, they may obtain a certification 
from an agency authorized to participate in the conduct of the interception, 
or from the Attorney General of the United States or designee thereof Such 
certification shall 

(a) identify the agency participating in the conduct of the interception 
and the person providing me certification; 

(b) certify that necessary legal authorization has been obtained to con- 
duct electromc surveillance regarding these communications; 

(c) specify the termination date of the period for which interception has 
been autnorized; 

(d) identify by docket number or other suitable method of specification 
the source of the authorization; 

(e) certify that communications covered by that authorization are being 
encrypted with a key-escrow encryption method; 

(f) specify the identifier (ID) number of the key-escrow encryption chip 
providing such encryption; and 

(g) specify the serial (ID) number of the key-escrow decryption device 
that will be used by the agency participating in the conduct of tne intercep- 
tion for decryption of the intercepted communications. 

(4) This certification shall be submitted to each of the designated key 
component escrow agents. If the certification has been provided by an agen- 
cy authorized to participate in the conduct of the interception, a copy shall 
be provided to the Department of Justice, Office of Intelligence Policy and 
Review. As soon as possible, an attorney associated with that office shall 
provide each of the key component escrow agents with written confirmation 
of the certification. 

(5) Upon receiving the certification, each key component escrow agent 
shall release the necessary key component to the agency participating in 
the conduct of the interception. The key components shall be provided in 
a manner that assures they cannot be used other than in conjunction with 
the lawfully authorized electronic sxirveillance for which they were re- 

(6) Each of the key component escrow agents shall retain a copy of the 
certification, as well as the subsequent written confirmation of the Depart- 
ment of Justice, Office of Intelligence Policy and Review. 

(7) Upon, or prior to, completion of the electronic surveillance phase of 
the investigation, the ability of the agency participating in the conduct of 


the interception to decrypt intercepted communications shall terminate, and 
such agency may not retain the key components. 

(8) The Department of Justice shall, in each such case, 

(a) ascertain the existence of authorizations for electronic siu-veillance 
in cases for which escrowed key components have been released; 

(b) ascertain that key components for a particvilar key-escrow 
encryption chip are being used only by an agency authorized to participate 
in the conduct of the interception of communications encrypted with that 
chip; and 

(c) ascertain that, no later than the completion of the electronic surveil- 
lance phase of the investigation, the abiUty of the agency participating in 
the conduct of the interception to decrypt intercepted communications is 

(9) Reports to the House Permanent Select Committee on InteUigence and 
the Senate Select Committee on Intelligence, pursuant to Section 108 of 
FISA, shall, with respect to any order for authorized electronic surveillance 
for which escrowed encrjrption components were released and used for 
decryption, specifically note that fact. 

These procedures do not create, and are not intended to create, any substantive 
rights for individuals intercepted through electronic surveillance, and noncompli- 
ance with these procedures shall not provide the basis for any motion to suppress 
or other objection to the introduction of electronic surveillance evidence lawfully ac- 

Answers to Questions From the Senate Subcommittee on Technology and 

Law to NIST 

Question 1. How long has the key escrow encryption standard been in develop- 
ment? Which agency originated these concepts? 

Answer 1. The concept of key escrow has been in development, as a solution to 
meeting the needs for information protection while not harming the government's 
ability to conduct lawful electronic surveillance, for about five years. The final devel- 
opment and approval process of the Escrowed Encryption Standard (Federal Infor- 
mation Processing Standard 185) began following the President's decision an- 
nounced on April 16, 1993. The concepts were developed at the National Security 
Agency, in response to requirements oi law enforcement agencies and following dis- 
cussions with NIST. 

Question 2. Before NIST recommended the key escrow encryption method for 
nonclassified information, did it consider commercially-available encryption meth- 
ods? If so, why were they rejected? 

Answer 2. The voluntary key escrow encryption chip was developed specifically be- 
cause no other products, commercial or otherwise, met the needs of the government 
for protecting its sensitive information in voice grade telephone communications 
while at the same time protecting its lawful electronic surveillance capabilities. 

Question 3. The Administration recently established an interagency Working 
Group on Encryption and Telecommunications "to develop new encryption tech- 
nologies" and "to review and refine Administration policies regarding encryption." 
Is this Group reviewing the Clipper Chip program? 

Answer 3. This group is momtoring on-going development of the voluntary key es- 
crow encryption initiative (e.g., alternative methods, better implementations, etc.). 
It is not reviewing the President's decision to commit the government to promote 
voluntary key escrow encryption for voice grade telephone communications. 

Question 3.1. Has this Working Group yet recommended any changes to the Clip- 
per Chip program? If so, what are those recommendations? 

Answer 3.1. The Working group continues to pursue voluntary key escrow 
encryption technologies — and stands ready to work with interested industry firms 
to do so. It has not recommended any specific changes to the current program. 

Question 3.2. What refinements to the Clipper Chip program is this Group consid- 

Answer 3.2. It is examining organizations outside the CabinetDepartments to 
serve as alternative escrow agents. It is also examining issues involving inter- 
national law enforcement cooperation on voluntary key escrow encryption matters. 

Question 3.3. When will this Working Group complete its review of the Clipper 
Chip program? 

Answer 3.3. While there is no re-examination of the Administration's commitment 
to the key escrow encryption initiative, the review of its implementation will likely 


continue for some time. This reflects the need to monitor both the voluntary key 
escrow encryption program and other encryption developments. 

Question 4. NIST is supposed to be leading efforts to work with industry to im- 
prove on the key escrow chips, to develop a key-escrow software and to examine al- 
ternatives to Clipper Chip. Could you describe NIST's progress on each of these 
three tasks? Specifically, what are the improvements and alternatives to CUpper 
Chip that NIST is considering? 

Answer 4. The key escrow encryption software working group, which includes sev- 
eral industry representatives, has met several times to: 

1) Specify and structure the problems to be solved; 

2) Study the overall system integrity requirements for an acceptable solution; 

3) Develop and list criteria for evaluating alternative proposed solutions; and 

4) Begin defining software-based alternatives to the voluntary CUpper Chip key 
escrow system. 

This research work can reasonably be expected to last at least two-three years. 

Regarding hardware improvements, no working group has yet been formed, but 
the Administration has repeatedly expressed its mlnngness to work with interested 
industry participants to develop improvements and alternatives. 

Question 5. The Defense Authorization Bill for Fiscal vear 1994 has authorized 
$800,000 to be spent by the National Research Council of the National Academy of 
Sciences to conduct a two-year study of federal encryption poUcy. Do you think this 
study is necessary? 

Answer 5. While we believe that the Administration's review of these issues was 
thorough, this study may identify new approaches for privacy while preserving law- 
ful electronic surveillance capabilities which would be useful. The NRC's report will 
receive careful study. 

Question 5.1. Why is the Administration not waiting to implement its key escrow 
encryption proCTam until the National Research Council's study is completed? 

Answer oil. The Administration's key escrow encrjrption initiative was announced 
on April 16, 1993, over seven months before the enactment of the National Defense 
Authorization Act for FY-94, which authorized the NRC study. The NRC study, 
which will consider issues substantially broader than those involved in key escrow 
encryption, will not be completed for at least two more years. The Administration's 
voluntary key escrow encryption initiative seeks to ensure that in setting new fed- 
eral standards, lawful electronic surveillance capabilities are not undermined. De- 
lajdng our standeirds would harm federal agencies' capabilities to protect their infor- 
mation. Setting good encryption standards without key escrowing would harm law- 
ful surveillance capabilities. 

Question 5.2. Should this study be expedited? 

Answer 5.2. NIST is not participating directly in the study, which is not yet un- 
derway. We do not know whether the study could be expedited without diminishing 
its thoroughness and accuracy. 

Question 6. The Government wants the key escrow encryption standard to become 
the de facto industry standard in the United States, but has assured industry that 
use of the key escrow chips is voluntary. Would the Government abandon the Clip- 
per Chip program if it is shown to be unsuccessful beyond Government use? 

Answer 6. The key escrow encryption initiative successfully provides for excellent 
protection of federal information (and that of other users), without undermining the 
ability of law enforcement to conduct lawful electronic surveillance. Since it meets 
these goals successfully, the Escrowed Encryption Standard will continue to be a 
highly satisfactory method of protecting sensitive federal information and, therefore, 
should remain in effect regardless of its level of adoption within the private sector. 

Question 7. If a user first encrypts a message with software using DES, and then 
transmits the message "double encrypted" with a key escrow chip, can you tell from 
looking at the cipher, or encrypted text, that the underlying message was 

Answer 7. No. The only way to tell that a message has been "double encrypted" 
in this way would be to decrypt the "outer layer" of encryption (i.e., that done with 
CUpper). Only then would one be able to teU that the message had first been 
encrypted with something else. 

Question 8. Capstone is the Skipjack implementation for use with data transmit- 
ted electronically. Has the Capstone chip been incorporated in any product currently 
being marketed? When will the Capstone chip be released? 

Answer 8. Capstone chips are just now becoming available. The Capstone chip is 
being incorporated into a personal computer memory card ("PCMCIA card") for use 
in providing security for sensitive government information in the Defense Message 
System. This is the only product actually in production using Capstone. The Cap- 


stone chip technically can be used for many security applications, not just computer 

Question 9. As computer and telecommunications technology advances, we are 
able to send more information at higher speeds. The speed and reliability of our 
telecommunications infrastructure gives American businesses the necessary edge in 
our global marketplace. The specifications for CUpper Chip indicate that it is de- 
signed to work on phone systems that transmit information no faster than 14,400 
bits per second or on basic-rate ISDN lines, which transmit information at about 
64,000 bits per second. Do the Clipper and Capstone Chips work fast enough for 
advanced telecommunications systems? Will Clipper Chip be able to keep up with 
the increasing speeds of telecommunications networks? Can the Skipjack algorithm 
be "scaled" to work at higher speeds?" 
(See combined answer to questions 9 and 10 below.) 

Question 10. Other commercially available encrvption methods, like the Data 
Encryption Standard, have encryption rates much higher than CUpper Chip. Cur- 
rent high speed DES processors have encryption rates of approximately 200 million 
bits per second, which dwarfs the Clipper Chip's maximum throughput of 15 million 
bits per second. How will the Clipper Chip technology be able to compete with other 
encryption methods tiiat can keep up with the higher speeds of emerging tech- 

Combined answer to Questions 9 and 10. The Clipper Chip as a hardware device 
was specially designed for end-to-end encryption of^ low-speed applications such as 
digitized voice. It is more than fast enough for this purpose, even if encrypted traffic 
is carried on the most advanced, high-speed telecommunications backbones. Cap- 
stone also was designed for end-to-end encryption of user data. Neither CUpper nor 
Capstone was designed to perform bulk encryption of high-speed telecommuni- 

The Skipjack algorithm, Uke the DES algorithm, is suitable for use at much high- 
er speeds than implemented in CUpper and Capstone, and Skipjack-based hardware 
can be designed for higher-speed Unk-encryption applications as the need arises. As 
the speeds of the newest telecommunications technologies continue to grow, new kev 
escrow devices will be developed as needed. Key escrow encryption technology will 
be able to compete with most other encryption methods for very high-speed appUca- 

Question 11. The Administration has assured industry that the key escrow tech- 
nology will be enhanced to keep pace with future data requirements. What is the 
Administration doing to develop key escrow technology that can work with emerging 
high-speed communications tecnnologies? 

Answer 11. The Administration is working to identify needs for higher-speed ap- 
pUcations of key escrow technology and wiU work to develop key escrow encryption 
devices to meet those needs. The technology for escrowing keys is readily adaptable 
to emerging high-speed applications. 

Question 12. Openly avaUable devices, such as Intel-compatible microprocessors, 
have seen dramatic gains, but only because eveirone was free to try to build a bet- 
ter version. Given the restrictions on who can build key escrow encryption chips, 
how wiU these chips keep up with advances in semiconductor speed, power, capacity 
and integration? 

Answer 12. Despite the requirements that a firm must meet to produce key es- 
crow encryption chips, we expect that there will be a number of manufacturers com- 
peting against each other to produce the best product, and that such competition 
will (frive them to keep up with the latest technological advances. It is worth noting 
that only a few companies can produce the sophisticated microprocessors you ref- 
erence, yet the competition in that market has driven them to achieve remarkable 
advances in that technology. 

Question 13. NIST estimates the cost of estabUshing the key escrow faciUties to 
be $14 milUon and the cost of operating the key escrow facilities will be about $16 
milUon annually. What is your statutory authority for these expenditures? 

Answer 13. Under the Computer Security Act of 1987, NIST is responsible not 
only for developing Federal Information Processing Standards for the protection of 
sensitive federal government information, but also for providing assistance in using 
the Standards and applying the results of program activities under the Act. 

Most directly appUcable are sections 278g-3(b) (1) and (3) of title 15 of the U.S. 
Code. Subsection (3) authorizes NIST to provide technical assistance in implement- 
ing the Act to operators of federal systems. Subsection (1) authorizes NIST to assist 
the private sector in "using and applying" the results of NIST's programs under the 
Act, thus showing that the scope of the assistance authorized by the Act includes 
help in applying the standards NIST develops. This section indicates that NIST may 


provide technical assistance to the private sector rather than just to the federal 
agencies that must comply with the standards. 

Question 14. What has been spent to date on Skipjack, Capstone and Clipper 

Answer 14. NIST's FY-94 expenditures through the end of April are approxi- 
mately $268,000. FY-93 expenditures regarding the Clipper Chip and key escrow 
encryption technologies involved a significant portion of NIST's computer security 
budget, specifically the level of resources devoted to this technology was approxi- 
mately four years of professional staff time and travel expenses of about $10,000. 

NSA will provide their funding information separately to the Committee. 

No cost figure can be assigned to the NSA's development of the SKIPJACK algo- 
rithm, in part because it was developed as a family of classified algorithms over a 
period of years. 

Question 15. NIST has explained that the single company manufacturing the CUp- 
per Chips was selected because of its expertise in designing custom encryption 
chips, as well as its secure facilities and employees with nigh security clearances. 
How long will it take for the Government to certify another vendor of Clipper Chip? 
What progress, if any, has the Administration mad,e on finding another vendor? 

Answer 15. Several firms have expressed interest in becoming vendors of key es- 
crow encryption chips. So far, one of these (other than the current company) has 
demonstrated that it has the technical expertise, secure facihties, and cleared per- 
sonnel necessary to do the job. We expect that this firm would be able to commence 
production by early 1996. 

Question 16. Once a given chip has been compromised due to use of the escrowed 
keys, is there any mechanism or program to re-key or replace compromised hard- 
ware? Is there any method for a potential acquiring party to verify whether the keys 
on a given chip have been compromised? 

Answer 16. It should be emphasized that release of escrowed key components to 
law enforcement agencies for use in conjunction with lawfully authorized electronic 
surveillance does not constitute compromise of the particular chip associated with 
those key components. Upon completion of electronic surveillance, the law enforce- 
ment agency's abiUty to decrypt communications with the particular chip ends, and 
therefore, those communications again become undecryp table unless and until the 
key components are released once more. There is no way to re-key chips for which 
escrowed keys have been used. If a chip could be re-keyed, it might be possible for 
users to replace the chip unique key, thus defeating the law enforcement access 
field. 'The hardware can be replaced with new hardware for which keys have not 
been released from escrow. 

Question 17. The Skipjack algorithm itself is classified, but the halves of the keys 
held by the escrow agents cannot be since they will be released upon presentation 
of a court order. Will the databases maintained by the escrow agents to hold the 
keys be subject to the Freedom of Information Act? What exception will you rely 
upon to justify withholding requests for information under FOIA? 

Answer 17. As a matter of clarification, it should be noted that the key compo- 
nents are not themselves part of the SKIPJACK algorithm, nor do they, in combina- 
tion with each other or with any other group of binary numbers, generate the algo- 
rithm, or provide any information regarding its characteristics. 

We understand your question regarding the Freedom of Information Act as relat- 
ing to the electronically stored key components held by NIST as an escrow agent, 
which information associates each particular chip-unique ID number with one of the 
components of its unique key. Release of these key components would permit a 
FOIA requestor to circumvent the protections that NIST is required to develop and 
promulgate as Federal Information Processing Standards under the Computer Secu- 
rity Act of 1987 (P.L. 100-235). Under 5 U.S.C. 552(b)(2), agencies are authorized 
to withhold information the disclosure of which would risk the circumvention of a 
statute or agency regulation. Therefore, the key escrow materials are protectible 
under 5 U.S.C. 552(b)(2). 

Question 18. Normal secvirity procedures involve changing cryptography keys peri- 
odically, in case one has been compromised. For example, those of us who use E- 
mail systems are accustomed to periodically changing our password for access to the 
system. But Clipper Chip's family and unique key cannot be changed by the user. 
If these keys are compromised, it will not matter how frequently the user changed 
their session keys. Does the long use of the same family and unique keys increase 
the likelihood that these keys will be compromised while they are still in use? Does 
this eliminate a significant degree of the user's control of the level of security that 
the system provides? 

Answer 18. No. As discussed in the answers to other questions, access to the key 
escrow components will be highly controlled. In addition, these components them- 


selves will be encrjrpted. Extensive audit procedures have been designed into the 
system to guard against any unauthorized access. Given these and other extensive 
protections, it is very unlikely that long use of the same chip unique or family key 
will have any negative impact upon users' security. 

Question 19. How secure is the Clipper Chip if someone gets unauthorized access 
to half the key? 

Answer 19. Knowledge of only one key component provides no information about 
the chip unique key and, therefore, does not in any way harm the security of the 

Question 20. Every Clipper Chip has the same Family Key programmed into it. 
When conversations encrypted with Clipper Chip are intercepted, this Family Key 
is used to decode the intercepted serial number, or unique identifier, which the tar- 
geted chip transmits at the beginning of every conversation. With the serial number, 
the law enforcement agency can get the government set of key components from the 
escrow agents. Who has access to the Chip Family Key? Is it going to be distributed 
to all law enforcement agencies so they can quickly decipher serial numbers of chips 
that may become the target of a wiretap order? Will the Chip Family Key be pro- 
tected in any way and, if so, how? 

Answer 20. With respect to the first question, access to the family key is very 
closely held. The family key is the combination of two binary numbers independ- 
ently and randomly generated and held, respectively, by the Department of Justice 
and the FBI. The combined family key is held under tightly controlled conditions 
in a dual-control safe at the programming facility for use in the programming proc- 
ess. When needed for a programming run, the family key is extracted from storage 
by specially designated employees of the programming facility, in the presence of 
representatives of the escrow agents, and entered into the programmer. At the end 
of a programming run, the programmer is again cleared of the family key. In addi- 
tion, the family key is programmed into all law enforcement decrypt processors to 
discern the particular chip ID number when necessary. 

With respect to the question regarding availability of the family key, the foregoing 
explanation indicates the extraordinary limitations on access to the family key. 
Agencies desirous of learning whether a particular communication is encrypted with 
key escrow encryption and, if so, learning the particular chip ID number will have 
access to the family key only as programmed into the decrypt processor. This may 
require a particular agency not possessing such a processor to provide to an agency 
that does hold one the communications suspected of being encrypted, so that the im- 
tial determination can be made. It should be emphasized, however, that an agency's 
determination of whether communications are being encrypted, and of the ID num- 
ber of the chip performing the encryption, would occur in conjunction with the con- 
duct of a lawmlly authorized surveillance — not, as the question may imply, as part 
of activities preceding such authorization. Further questions on the protection of the 
family key are best directed to the U.S. Department of Justice. 

Question 21. The Chip Family Key is built into the chip when it is programmed 
and cannot be changed. In the event that someone got unauthorized access to the 
Chip Family Key, what could that person do with it? 

Answer 21. In the very unlikely event that someone were able to gain access to 
the family key and were able to figure out a means to use it, the only information 
that could be obtained would be the serial numbers of the EES devices used for a 
telecommunication. Of course, intercepting such a telecommunication without lawful 
authorization would be a felony offense. 

Question 22. CUpper Chip design data will need to be released to manufacturers 
in order for them to incorporate the chip into security devices. How will we be as- 
sured that this design information, in itself, will not allow the key escrow chips to 
be compromised? 

Answer 22. The only design data which will need to be released to manufacturers 
of devices using the chip are its interface specifications, such as size, power require- 
ments, data input, and the like. None of these data can in any way be used to deter- 
mine the encryption algorithm or any other information affecting the security of the 

Question 23. A decrypt device will be used to receive an electronic transmittal of 
the two key halves from the escrow agents. The decrypt device will then be able 
to decrypt the intercepted message, until the wiretap authorization ends, when it 
will automatically turn itself off". How many of these decrypt devices will be built? 
Will the decrypt devices be maintained in a central secure facility? If so, who will 
maintain custody of the devices and how will they be distributed to the law enforce- 
ment agencies that need them? 

Answer 23. Termination of a decrypt processor's ability to decrypt communications 
using a peirticular key escrow chip is a fundamental protection built into the system 


and law enforcement agencies that have received key components will be required 
to certify such termination. In the prototype model of the decrypt processor, that 
termination is effected manually; automatic termination will be available in later 

The number of decrypt processors that will ultimately be produced will probably 
be in large measure a function of the number of key escrow equipped devices in use 
throughout the country and the number of times key escrow encryption is encoun- 
tered in the course of wiretaps. For the foreseeable future, when it is Ukely that 
the number of decryption processors will be small, it is likely that they would be 
centrally held by the FBI, to be made available for use in the field on an as-needed 

Question 24. The key escrow approach is designed to ensure the ability of the 
American government to access confidential data. What would make key escrow 
chips manufactxired in America an attractive encryption method for foreign cus- 

Answer 24. The key escrow initiative was undertaken to provide users with robust 
security without undermining lawfully authorized wiretaps. This point is important 
to emphasize as the market for this product very much depends on who users per- 
ceive as a threat to intercept their communications. The potential export meirket for 
encryption products can be divided into two categories: exports for foreign govern- 
ment use and exports for non-government use. The most likely government users 
of commercial encryption products would be countries that have a relatively low de- 
gree of technical sophistication, lack other resources necessary to develop their own 
encryption products, and do not perceive the United States as a primary threat. 
Such countries might be primarily concerned about access to their communications 
by neighboring countries, terrorists, criminal elements, or domestic poUtical oppo- 
nents. Such government users might view a wUnerabihty to possible eavesdropping 
by the United States as a price worth paying in return for security against those 
more immediate threats. However, we do not expect such users to constitute a major 
export market for key escrow encryption products. 

The non-government sector represents a much greater potential export market for 
key escrow encryption products. While some prospective users abroad may steer 
clear of key escrow products because the United States will retain access, there may 
be many who believe they are unlikely to be targeted by U.S. intelligence in any 
case or for whom the superior security offered by key escrow encryption products 
against threats of greater concern may make key escrow products an attractive op- 
tion. (For example, a distributor of pay-TV programming may depend on encryption 
to ensure that only those viewers who pay for the service can decrypt the TV signal. 
Such a distributor probably would not be concerned about the threat of access by 
the United States Grovemment, and might favor koy escrow encryption over compet- 
ing products that use weaker encryption algorithms.) In addition, others may be at- 
tracted to key escrow encryption products in part by the need to interoperate with 
other users of such products, especially businesses in the United States. 

Question 25. If key escrow chips are not commercially accepted abroad, and export 
controls continue to restrict the export of other strong encryption schemes, is the 
U.S. Government limiting American companies to a U.S. market? 

Answer 25. U.S. firms nave long been major players in the international commer- 
cial encryption market despite export controls on encryption products. We do not im- 
pose a blanket embargo on products which encrypt data or voice. Encryption prod- 
ucts undergo a one-time technical review, the results of which are used in decisions 
as to whether a given product can be exported to particular end users consistent 
with U.S. interests. Afler the one-time review, products are given expedited licens- 
ing treatment. Some are licensed for export to virtually all end users. Some products 
are licensed less widely. Overall, over 95% of export license applications for 
encryption products are approved. Any encryption product can be exported by U.S. 
businesses for use in their facilities abroad. In addition, the President recently di- 
rected that a number of changes be made in the Licensing process to expedite Licens- 
ing and to ease the regulatory burden on exporters. In short, we have every reason 
to expect that the U.S. will continue to be a major exporter of commercial encryption 
products, regardless of the commercial success of key escrow encryption products. 

Question 26. Is the key escrow encryption system compatible with existing 
encryption methods in use? 

Answer 26. As is true among devices using different algorithms (e.g., DES, RSA, 
RC4, etc.) key escrow encryption products will not interoperate with other products 
using a different algorithm. Note also that many commercial products that use the 
same algorithm do not interoperate due to other constraints (e.g., transmission 
rates, voice-digitization process, other protocols, etc.). 


Question 27. As part of NIST's continuing review of the key escrow encryption 
scheme, is NIST considering any new encryption approach that wovild be compatible 
with the embedded base of equipment? 

Answer 27. No new approaches are being considered with the specific goal of com- 
patibility with some installed devices. Note that no encryption approacn would be 
consistent with the entire installed base of equipment. It is too widely varied. 

Question 28. Critics of U.S. export restrictions on strong encrjrption technology 
argue that these restrictions have the effect of reducing the domestic availability of 
user-friendly encryption, which could otherwise be routinely incorporated in soft- 
ware and telecommunications equipment. What is the Administration's response to 
this criticism? 

Answer 28. We do not believe that export controls have reduced the domestic 
availability of encrsrption. Encrjrption products have been commercially available in 
this country for a long time, especially since the adoption of the Data Encryption 
Standard (DES) as a Federal Information Processing Standard in 1977. However, 
demand for such products has been Umited, with government purchases comprising 
the bulk of the encryption market. As pubUc interest in and understanding of the 
need for security increases, we are moving aggressively to make available to the 
public, on a voluntary basis, the voluntary key escrow encryption technology needed 
to provide strong encryption without sacrificing the public's interest in effective law 
enK)rcement. Far from reducing the domestic availability of encryption, government 
actions, from adopting the DES standard to development of key escrow encryption 
technology, and even in driving the market during the years when there was little 
commercial interest, have greatly increased the domestic availability of encryption 
products, rather than reducing it. 

Answer to a Question From Senator Patty Murray to NIST 

Question 1. In my office in the Hart building this February, I downloaded from 
the Internet an Austrian program that uses DES encryption. This was on a laptop 
computer, using a modem over a phone line. The Software Publishers' Association 
says there are at least 120 DES or comparable programs worldwide. However, U.S. 
export control laws prohibit American exporters from selling comparable DES pro- 
grams abroad. With at least 20 million people hooked up to the Internet, how do 
U.S. export controls actually prevent criminals, terrorists or whoever from obtaining 
DES encryption software? 

Answer 1. On the matter of export controls on encryption software (including 
DES), NIST defers to the National Security Agency, which, we understand, has been 
asked the same question. 

Answer to a Question From Senator Larry Pressler to Raymond Kammer, 

Deputy Director, NIST 

Question 1. NIST has approved the use of the Clipper Chip as the federal stand- 
ard for encoding federal communications involving sensitive but unclassified infor- 
mation. Is there a reason why the Clipper Chip is not approved for classified infor- 
mation as well? If so, please explain. 

Answer 1. The National Security Agency approves encryption systems for the pro- 
tection of classified information, and is considering approval of Clipper for selected 
classified applications. The encrjT)tion algorithm used in the Clipper Chip, called 
SKIPJACK, is one of a family of encrjrption algorithms developed by NSA for use 
in protecting classified information. 

Answers to Questions From the Senate Subcommittee on Technology and 

THE Law to Whitfield Diffie 

Question 1. The serial number, or unique identifier number, for each key escrow 
chip is sent out as a header on each encrypted communication. If the Government 
just wanted to know where I was and not what I was sajdng, would it be possible 
for the Government to track down the header on my communications and figure out 
where I was from where I was sending out my encrypted messages? Could you ex- 
plain how this would be possible? Do you have concerns about this? 

Answer 1. The serial number is contained in a block encrypted with the Family 
Key and is thus accessible only to those who can obtain the Family Key. This point 
is discussed further in the response to question 8. 

Concealing the gross characteristics of messages (existence, timing, length, origin, 
destination, etc.) is typically more difficult to achieve by end-to-end techniques 


(those that operate only in the user's equipment) than concealing their contents. In 
modem telepnone systems the called and calling nvimbers of phone calls are typi- 
cally easy to get at. (This is what makes possible the controversial Caller-ID serv- 
ice.) In electronic mail — even encrypted electronic mail — this information is nor- 
mally contained in the message headers. In the case of cellular telephones, the par- 
ticular characterists of the phone as a radio (Emitter ID) can be detected and used 
to distinguish among indiviaual phones. 

In short, although preventing interceptors from detecting serial numbers would be 
one necessary step in preventing tracking, that task is quite difficult and serial 
numbers may not oe the most critical element. 

Question 2. NIST has stated that "industry interest in developing seciu-e software 
based on key escrow encryption is minimal. Is that a correct assessment and, if so, 
could you explain why? 

Answer 2. NIST's statement is unfamiliar to me, but certainly accords with my 
experience. We do not perceive oiir customers as wanting escrowed encryption, so 
why would we want to develop software around it? There are de facto industry 
standards growing up around public key and multiple-DES. I suspect I speak for 
a broad segment of tne industry in sajdng that we prefer to develop software based 
on pubUcly known techniques that are receiving acceptance from our customers. 

Question 3. In a speech last month at a telecommunications conference in Buenos 
Aires, Vice President Gore described his vision for a global information network to 
Unk the people of the world and provide a global information marketplace. How 
would the electronic information flow between countries be effected if other coun- 
tries wiU not let Clipper Chip in? 

Answer 3. At present most internet traffic, Uke most of the world's communica- 
tions, is unencrypted. It is the belief of those of us who support improvement of tele- 
communication seoirity that the developing information infrastructvu-e will not be 
able to serve its function adequately unless it is made more secure. Since the net- 
work — Uke the world economy — is international, worldwide interoperability stand- 
ards are required. Security products that are the exclusive property of one country, 
or even a small group, of countries, would appear to have no possibility of fulfilling 
this function. 

Question 4. We are market leaders in applications software and operating sys- 
tems. Our world leadership in operating systems is dependent on integrating secu- 
rity in internationally distributed systems. If overseas companies provide systems 
based on algorithms without key escrow schemes that encrypt faster and more se- 
curely, how will we compete internationally? 

Answer 4. If overseas companies produce operating systems and application pro- 
grams based on security mechanisms that cannot be exported from the Umted 
States, the U.S. software business will surely suffer. 

Question 5. The National Security Agency has stated that "many non-key escrow 
encrjrption products have long been licensed for export * * * [and] * * * will continue 
to be * * *. " Do you share this view that many American encryption products are 
freely licensed for export? 

Answer 5. You have quoted NSA as saying that products "have been licensed for 
export" and "will continue to be." They have said nothing about "freely." In our ex- 
perience it is often difficult and time consuming to get export licenses in secure com- 
munications and related areas even when there are comparable foreign products or 
when licenses have previously been granted for similar shipments. 

The history of export licenses, however, is a question of facts not of views and 
these are facts to which I have Uttle access. The question points up an issue that 
should be high on the export reform agenda: An opening up of the export control 
process that creates a written public record of export control policies and decisions. 

Question 6. The Administration has stated that the Skipjack algorithm in the 
Clipper Chip must remain classified and only specially certified vendors will be 
given access to it. By contrast, openly available devices, such as Intel-compatible 
microprocessors, have seen dramatic gains, but only because everyone was free to 
try to build a better version. Given uie restrictions on who can build Clipper de- 
vices, do you have any concerns about how CUpper will keep up with advances in 
semiconductor speed, power, capacity and integration? 

Answer 6. I do, but these concerns are merely part of a larger concern. If the 
semi-conductor industry becomes dependent on parts available only on the suffer- 
ance of the government, it will no longer be free to make and carry out basic busi- 
ness decisions. 

Should NSA (which appears to have control of the technology and the supply of 
parts despite the fact that key escrow is a Department of Commerce standard) de- 
cide to cease authorizing the production of clipper chips, industry would no longer 
be able to ship products interoperable with those sold earlier. 


When Digital Equipment Corporation concluded some years ago that a very high 
speed DES device might be needed, it developed one internally using Gallium Arse- 
nide technology. Should a semi-conductor manufacturer decide that a similar high- 
speed SKIPJACK chip was reqviired it would need NSA's concurrence and coopera- 
tion to go ahead with the product. Under these circumstances, it might be blocked 
because NSA did not have any way of tamper proofing a sufficiently fast design. It 
should also be noted that such developments could be blocked or delayed even when 
they were completely in accord with government policy and objectives, because of 
lack of government funds, personnel, or other resources. 

Question 7. The Administration has assured industry that the key escrow tech- 
nology will be enhanced to keep pace with future data requirements. Are you aware 
of anything the Administration is doing to develop key escrow technology that can 
work with emerging high-speed communications technologies? 

Answer 7. It is my understanding that a high speed algorithm called BATON is 
under development, but I have no further information. 

Question 8. Every CUpper Chip has the same Family Key programmed into it. 
This Family Key is used by law enforcement to decode an intercepted serial number, 
or unique identifier, that is transmitted at the beginning of every encrypted con- 
versation. The law enforcement agency presents this serial number to get the decod- 
ing keys from the escrow agents. In the event that someone got unauthorized access 
to the Chip Family Key, what could that person do with it? Do you have any con- 
cerns about who will have access to the Chip Family Key? 

Answer 8. Although the administration seems to be saying that the Family Key 
will be very tightly controlled, it is traditional COMSEC doctrine that nothing that 
remains constant for a long period of time can be expected to remain secret. This 
is the view under which cryptographic systems are always presumed to be known 
to an opponent. 

Possession of the family key, together with the LEAF creation method, would 
allow an opponent to identify individual cryptographic chips as discussed under 
question 1. It would also bring an opponent one step closer to recovering Chip 
Unique Keys, as described in my testimony, and thus having potential access to all 
past and future messages encrypted by particular chips. 

Question 9. The Internet Privacy Enhanced Mail (PEM) is becoming an inter- 
nationally recognized system for encrypting Electronic Mail over the Internet. If the 
Administration is successful in making the Skipjack key escrow system an American 
standard for encrypting electronic mail while the rest of the world uses PEM, how 
would this effect encrypted E-mail traffic between the U.S. and other countries? 

Answer 9. I don't know how widely PEM is used at present, either inside or out- 
side the U.S. PEM, in contrast to its competitor Pretty Good Privacy or PGP, has 
a rigid certificate structure that requires the construction of certification hierarchies 
and registration of users. The effect is to require top down adoption of PEM rather 
than promoting its free spread among users. This has slowed its "market penetra- 
tion." PEM is also export controlled, although I have been told there are non-U.S. 

implementations. „ ^ ■, ■ r>T^n/r 

At present only the DES/RSA combination of cryptosystems are reflected in PEM 
standards. PEM is potentially flexible, however, attaching labels to messages that 
indicate the cryptosystem in use. (Sun's implementation, for example, allows alter- 
nate cryptosystems.) There has been discussion of expanding PEM to allow triple 
DES and a key escrow based version seems equally possible. 

Nonetheless, if a multiple DES and RSA version of PEM is widely used outside 
the U.S. and a key escrow version is used within, this will present a major barrier 
to secure communications between American and foreign companies. 
Question 10. Is the demand for strong encryption technology growing and, if so, 


Answer 10. It is hard to distinguish a demand for strong encryption from a de- 
mand for encryption period. It is, after all, rare for someone to want weak 
encryption. Usually it is accepted because strong encryption is too expensive or oth- 
erwise unavailable. The long history of scrambled (weakly analog encrypted) tele- 
phones, for example, was a result of the high cost of digitizing the sound so that 
it could be strong^ encrypted. ^, . , . , • ^v * 

That said, the demand for encryption is growing. The fundamental reason is that 
as the quahty of communication networks improves, the value of the traffic they 
carry increases. At one time long distance telephone calls were too expensive and 
too poor in quality to be used for anything more than making appointments or get- 
ting quick answers to questions. Today, entire business meetings are conducted by 
phone. The growth in quality and cost performance of written electronic commumca- 
tions has been even greater and has lead to important and sensitive message being 


transmitted by fax or electronic mail. Today, most of these messages go without "en- 
velopes." That is what encryption provides. 

Sun Microsystems Computer Corp., 

Mountain View, CA, May 23, 1994. 

Hon. Patty Murray, 
Committee on the Judiciary, 
U.S. Senate, Washington, DC. 

Dear Senator Murray: I very much appreciate the opportunity to respond to 
your question: 

Question 1. In my office in the Hart building this February, I downloaded from 
the Internet an Austrian program that uses DES encryption. This was on a laptop 
computer, using a modem over a phone Une. The Software Publishers' Association 
says there are at least 120 DES or comparable programs worldwide. However, U.S. 
export control laws prohibit American exporters from selling comparable DES pro- 
grams abroad. 

With at least 20 miUion people hooked up to the Internet, how do U.S. export con- 
trols actually prevent criminals, terrorists or whoever from obtaining DES encrjrpted 

Answer 1. I have considered this issue with some care and I believe the answer 
lies in the critical dependence of the adoption of security measures on their ease 
of use. 

No matter how obvious the need for communication security is to those of us who 
work in the field, it is difficult to sell. The reason for this is that communications 
intelligence is rarely visible to its target. Even if a company finds that it is repeat- 
edly loosing bids by small margins to a single competitor, discovering whether the 
vulnerability is in communications or procedures or personnel is very difficvdt. 
Under the circumstances, selling secure communications is much like selling insur- 
ance against a disaster that the customer cannot see. 

The resvdt is that users tend to avail themselves of secure communications only 
when security is built in as an automatic function that does not interfere with their 
work or require their attention. The availabihty of a cryptographic program that is 
not integrated into an application is useful only to those already dedicated to the 
practice of security. For these people, converting the Federal Standard for DES or 
some similar algorithm specification into a program is a small part of the job. 

Consider for example, someone who is writing many drafts of a report and keep- 
ing them encrypted by using a file encryption program separate from the word proc- 
essor. The writer must not only remember to reencrypt the file after each editing 
session, but if the word processor leaves unintended copies around on the disk, must 
run a disk cleaning program as well. Any sUp-up potentially leaves the docvunent 
vulnerable to compromise and similar examples present themselves in communica- 

What NSA fears is a Sun or Microsoft or DEC operating system with encryption 
built in in such a way that after an initial log-in, all security is provided trans- 
parently for the user. This might, for example, support an application allowing peo- 
ple at remote locations to work jointly on a document. All drafts would be commu- 
nicated encrypted without the writers having to do anything. 

The answer to your question is thus twofold. The U.S. export controls probably 
do not prevent criminals or terrorists who are attentive to security from getting ac- 
cess to encryption software. They may, for a time, prevent these people from getting 
what honest business people want: Encryption software that functions automatically 
and invisibly in thefr operating systems and supports a variety of application pro- 
grams in a consistent way. 

From a communications intelligence viewpoint, NSA's fear is rational. Because the 
software marketplace is international, however, the effect of export controls has 
been to stifle the development of security in operating systems. Companies whose 
markets are frequently more than half foreign are loathe to expend resources devel- 
oping features that can be sold to only a minority of their customers. 

Concern with America's position in international trade is also rational, however. 
It seems unlikely that businesses can indefinitely increase their dependence on com- 
puters and communications without installing security mechanisms commensurate 
with the value of their investments. The secvuity machinery itself will be a small 
fraction of the total revenue for computer systems and software, but its smooth inte- 


gration into operating systems and applications may be the sine qua non of future 
market acceptance. 
Yours truly, 

Whitfield Diffie, 
Distinguished Engineer. 

Sun Microsystems Computer Corp., 

Mountain View, CA, May 23, 1994. 

Hon. Patrick J. Leahy, 
Committee on the Judiciary, 
U.S. Senate, Washington, DC. 

Dear Senator Leahy: I very much appreciate both the opportunity of speaking 
before yovu* subcommittee and the opportunity to respond to your questions, the an- 
swers to which I have attached to this letter. 

As I sat listening to the committee proceedings, I felt a glimmer of hope that the 
key escrow proposal might actually be stopped. At the same time I realized that 
winning this "fight," should we be so lucky, would not contribute to winning the 
larger battle: The battle to improve the security of American business and personal 

For more than a decade, we have been trying without much success to persuade 
the public that their communications are worth protecting and that this protection 
is worth paying for. In this campaign, we have usually had little support from NSA 
and at times we have had active opposition. NSA, however, has a decisive role to 
play and the battle probably cannot oe won without it. 

NSA is in possession of a vast body of information about both the vulnerabilities 
of communications and actual instances of their exploitation. When it is in market- 
ing mode, as it was during the mid-nineteen eighties with its STU-III and CCEP 
programs, it lends its weight to be view that the communication's of Americans are 
being exploited and need protection. When it is arguing against commercial stand- 
ards or tne relaxation of export controls, it takes the opposite view. 

In undertaking the key escrow program, NSA has put forth a deal. They will lend 
both their technical and marketing abilities to the development of a new generation 
of widely available securitv equipment. The condition is the key escrow. Most of 
NSA's budget goes to intelligence and intelligence demands its cut. Should the key 
escrow program be stopped, it seems likely that we will return to a situation in 
which industry must try to persuade the public of the need for seciuity over NSA's 
opposition or at best in the face of its indifference. 

I suggest, therefore, that should Congress choose to take over the reigns of policy 
in this area, it will not be sufficient to end the Administration's venture into key 
escrow. It will be necessary to insist that protecting the communications of all 
Americans be put foremost among NSA's responsibilities and to mandate NSA's ftill 
and unreserved participation in this program. 

Yoiirs truly, 

Whitfield Diffie, 
Distinguished Engineer. 

Answers to Questions From the Senate Subcommittee on Technology and 

THE Law to Stephen T. Walker 

Question 1. The serial number, or unique identifier number, for each key escrow 
chip is sent out as a header on each encrypted communication. If the government 
just wanted to know where I was and not what I was saying, would it be possible 
for the government to track down the header on my commumcations and figure out 
where I was from where I was sending out my encrypted messages? Could you ex- 
plain how this would be possible? Do you have concerns about this? 

Answer 1. It would be relatively straightforward for the government to track the 
movement of individuals and the phone numbers of people with whom they are com- 
municating using the Clipper key escrow system without the need for a wiretap 
court order. 

The law enforcement decryption unit that is used to initially detect the use of a 
Clipper device contains the "family key" of all CUpper telephone security devices. 
This key allows the decryption unit to identify the unique serial number without 
any interaction with the key escrow centers. Anyone with access to such a 
decryption unit could identify calls from specific Clipper devices without a court 


Such activity would require access to phone communications facilities that would 
normally be associated with court-ordered wiretaps. Access to the decryption unit 
would normally be reserved for law enforcement officials [Initially there is only one 
such unit, but presumably if Clipper becomes widely used, there will be many avail- 
able to law enforcement throughout the country.] 

It is important to note that if one does not use a TSD, one's communications are 
trivially vulnerable to this same threat today. 

Question 2. You are a member of the Computer System Security and Advisory 
Board, which was created by the Computer Security Act of 1987 to advise NIST on 
computer policy matters. Was this Board consulted by NIST during consideration 
of the key escrow encryption standard? 

Answer 2. The Board was never consulted "before-the-fact" in any of the Adminis- 
tration's announcements on Clipper, the Digital Signature Standard, the Escrow 
Encryption Standard or any other matter related to cryptography. In each case the 
members of the Board were as surprised as the general public by these announce- 

As was demonstrated in the case of the proposed licensing of the Digital Signature 
Algorithm to Public Key Partners last June, the advice of the Board relative to the 
cost impact on the general public eventually lead to a reversal of that proposal. Had 
the advice of the Board been sought before this proposal was put forwaro, I believe 
at least nine months of delay in issuing the Digital Signature Standard could have 
been saved. Given that the government has delayed the issuing of the DSS for over 
twelve years, though, it is not clear that this woidd have made much difference. 

It is important to note that all activities of the Board except those dealing with 
budgets and proprietary concerns must be held in open session. Under these cir- 
cumstances, describing its proposed actions to the Board would be equivalent to the 
government announcing its actions in public. 1 do believe that if tne government 
wanted to it could make use of the proprietary information provisions to seek the 
advise of the Board prior to announcing its policy decisions. It is apparent that the 
government has chosen not to take this course in every announcement related to 

Question 3. Many users prefer encryption software because it is more cost effective 
than a hardware solution. So far, Clipper Chip has not been implemented in soft- 
ware. NIST announced in February that it will try to establish cooperative partner- 
ships with the software industry to develop key escrow software. You are a member 
of NIST's Software Escrowed Working Group, which is examining the possibilities 
for alternatives to Clipper Chip. Has any progress been made? If not, could you ex- 
plain why? 

Answer 3. I am a member of the NIST Software Escrow Encryption Working 
Group and just this past week, I have made a proposal to NIST and NSA of an al- 
ternative to Clipper key escrow that I believe provides as good a solution to the law 
enforcement concerns while being implementable entirely in software, "rhis proposal 
could provide a far more cost-effective solution to key escrow than Clipper. I made 
this proposal in the interests of demonstrating that key escrow could be achieved 
without secret encryption algorithms and mandatory hardware. 

I must reiterate the major concern of my testimony before your hearing that gov- 
ernment-imposed key escrow in any form, whether implemented in Clipper hard- 
ware or in software, should not take place until it has been subjected to mil legisla- 
tive review, passage of a law, signed by the President, and if necessary, determined 
to be Constitutional by the Supreme Court. 

My suggestion that at least one software key escrow approach is just as good as 
that envisioned in Clipper is made as a technical suggestion for consideration by the 
government in full recognition that the government may choose to impose this tech- 
nique on the American people without the benefit of Congressional consideration. 
I sincerely hope this does not happen. 

Question 4. NIST has stated that "industry interest in developing secure software 
based on key escrow encryption is minimal." Is that a correct assessment and, if so, 
could you explain why? 

Answer 4. The statement in quotes in this question is a complex statement that 
must be treated in parts. I believe that industry is concerned about key escrow for 
many reasons. Key escrow implemented in hardware using Clipper represents a sig- 
nificant increase in the complexity and cost of their products. Even key escrow im- 
plemented in software will complicate products whUe not adding to their market- 

More importantly, I am convinced that industry has little interest in developing 
key escrow encryption techniques, whether in hardware or software, for exactly the 
same reason as most Americans citizens: they don't like it. If we as a people decide 
that the benefits of key escrow are worth the risks to individual privacy, if we pass 


legislation making key escrow legal under controlled circumstances, then I believe 
most Americans and most of American industry will support its implementation in 
computer and telephone products. Until then, I believe the opposition to key escrow 
will continue. . 

Question 5. In a speech last month at a telecommunications conference in Buenos 
Aires, Vice President Gore described his vision for a global information network to 
hnk the people of the world and provide a global information marketplace. How 
would the electronic information flow between countries be affected if other coun- 
tries will not let Clipper Chip in? , ^ , 

Answer 5. I have thought a great deal about the international aspects of key es- 
crow, whether by Clipper or in software. I do not see any practical way in which 
key escrow is ever going to work in a multinational setting. I believe that individual 
governments may work out ways for sharing the results of law enforcement inter- 
cepts in foreign countries. But I see no way that multinational companies will be 
able to communicate with their customers and suppUers in foreign countries if each 
government imposes its own form of key escrow. Vice President Gore's vision of a 
global information marketplace will be impossible so long as the U.S. Government 
or any other government feels key escrow is essential to their law enforcement in- 
terests. If the U.S. persists in this, it may have a national information marketplace, 
but it will be locked out of the international marketplace. 

Question 6. We are market leaders in appUcations software and operating sys- 
tems. Our world leadership in operating systems is dependant on integrating secu- 
rity in internationally distributed systems. If overseas companies provide systems 
based on algorithms without key escrow schemes that encrypt faster and more se- 
curely, how will we compete internationally? 

Answer 6. We are rapidly reaching the point where we cannot compete inter- 
nationally in products that incorporate good quality security. Multinational compa- 
nies are requiring such capabilities in the information systems they are buying, and 
we are being locked out of those sales. And these are not just sales of encryption 
products. They involve all aspects of word processing, spreadsheets, integrated office 
products, database management systems, the very heart of our information system 
industry. We are not able to compete in these security-conscious marketplaces, and 
increasingly this will affect both our market share and our own abilities to protect 
U.S. sensitive information. , . , 

Question 7. In your testimony you note that the Skipjack algorithm works fast 
enough to encrypt phone and low speed computer communications but will not eas- 
ily scale to meet the needs of high speed computer communications." Could you ex- 
plain this limitation in the underlying algorithm for Clipper Chip? 

Answer 7. This question has a complex answer that involves the way key escrow 
will be used as well as its implementation in hardware. 

First, the problem I was referring to is not a limitation of the Skipjack algorithm 
but relates to the hardware technologies currently being used to implement Clipper 
and Capstone. Some people have stated that the current versions will have to be 
reimplemented to work at the higher speeds required by modem computer commu- 

But the nature of key escrow of individual communications reqmres interaction 
on a per-phone call or per-computer message basis. This is best done at the user 
end of the communications links (the individual phones or computers originating the 
communications). The present implementations of Clipper and Capstone are well- 
suited to this use. , ,. , . J Jxl- J 

There are other uses of cryptography that require much higher bandwidth and are 
not amenable to individual key escrow. Bulk encryption of high bandwidth commu- 
nications links requires very fast cryptography. The Skipjack algorithm could prob- 
ably be implemented with much higher speed technology for such uses. But key es- 
crow of individual phone calls or computer messages is not meaningful in high band- 
width bulk encryption applications. „, •• i • i. -x u j 

If the American people agree that we need key escrow. Skipjack, with its embed- 
ded key escrow, will play a role in achieving that capability. But key escrow is not 
the answer to all our cryptographic needs. We will also need cryptographic tech- 
nologies that will operate at the same speeds as our highest bandwidth commumca- 
tions. For these devices, key escrow makes no sense. 

Question 8. The National Security Agency has stated that "many non-key escrow 
encryption products have long been licensed for export * * * [and] * * * will continue 
to be: Do you share this view that many American encryption products are freely 
licGnsfid for GXiDort 

Answer 8. There are many encryption products made in the U.S. with "weak" 
cryptography that are approved for export from the U.S. The best example is the 
so called %PA deal" of 1992 in which the government agreed to the export of prod- 


ucts containing cryptography so long as the key length used was 40 bits or less (the 
key length of the Data Encryption Standard is 56 bits). 

Unfortunately, key lengths of 40 bits or less are, with today's technology, trivially 
easy to defeat. When U.S. companies attempt to sell products based on 40-bit keys 
to tiieir foreign customers who already have 56-bit DES products, they generally 

As the use of good quality cryptography continues to grow, those U.S. products 
that have weak crj^jtography (and are therefore approved for export) will lose any 
market share that may now exist. 

Question 9. The administration has stated that the Skipjack algorithm in the Clip- 
per Chip must remain classified and only specially certified vendors will be given 
access to it. By contrast, openly available devices, such as Intel-compatible 
microprocessors, have seen dramatic gains, but only because everyone was free to 
try to build a better version. Given uie restrictions on who can bviild Clipper de- 
vices, do you have any concerns about how Clipper will keep up with advances in 
semiconductor speed, power, capacity and integration? 

Answer 9. This is a fundamental question at the core of technological advances 
throughout our society. If the last twenty years have shown anything, it is that open 
development of technologies that compete directly in the marketplace will be far 
more successful than closed designs. This is true for personal computers and for 
cryptographic devices. 

Classified encryption algorithms that must be designed and implemented in closed 
communities will never be able to compete with the open-market development of 
products based on DES and similar public algorithms. Key escrow does not require 
the use of classified algorithms; it will work equally well with DES or other popular 
algorithms. If the Administration insists on a closed development and implementa- 
tion process, it will relegate its key escrow ideas to a very small segment of the 
oversdl market for cr5TJtography. 

Question 10. The Administration has assured industry that the key escrow tech- 
nology will be enhanced to keep pace with future data requirements. Are you aware 
of anything the Administration is doing to develop key escrow technology that can 
work with emerging high-speed communications technologies? 

Answer 10. No, but I believe there are many techniques that can be used to at- 
tempt to make key escrow work with high speed communications. See my answers 
to questions 7 and 9. 

Question 11. Every Clipper Chip has the same Family Key programmed into it. 
This Family Key is used by law enforcement to decode an intercepted serial number, 
or unique identifier, that is transmitted at the beginning of every encrjrpted con- 
versation. The law enforcement agency presents this serial number to get the decod- 
ing keys from the escrow agents. In the event that someone got unauthorized access 
to the Chip Family Key, what could that person do with it? Do you have any con- 
cerns about who will have access to the Chip Family Key? 

Answer 11. If an unauthorized individual obtmned access to a device family key, 
that individual could create a capability to track the users of any device in that fam- 
ily, as was discussed in question 1. I believe that the procedures being established 
for protection of family keys and device escrow keys are quite strong. But as was 
pointed out by Senator Specter, it is not easy to keep a secret over a long period 
of time. 

Question 12. The Internet Privacy Enhanced Mail (PEM) is becoming an inter- 
nationeilly recognized system for encrypting Electronic Mail over the Internet. If the 
Administration is successful in making the key escrow chips an American standard 
for encrypting electronic mail while the rest of the world uses PEM, how would this 
affect encrypted E-mail traffic between the U.S. and other countries? 

Answer 12. If key escrow were to become a mandatory standard in the U.S. while 
the rest of the world continued to use Internet PEM, there would be very little 
encrypted e-mail between the U.S. and the rest of the world. 

Question 13. Is the demand for strong encryption technology growing and, if so, 

Answer 13. Concern for the protection of sensitive information from unauthorized 
disclosure, modification or destruction is growing in all segments of the information 
technology market, from individuals to large corporations and governments. The de- 
mand for good quality cryptography will continue to grow until this concern can be 
adequately addressed. This is a mndamental issue that the Administration's policies 
of always siding with the law enforcement and national security interests continue 
to ignore. People will find ways to protect their sensitive information even if they 
have to buy encryption products from foreign sources. 


Answers to Questions From the Senate Subcommittee on Technology and 
The Law to Vice Admiral J.M. McConnell 

Question 1. The Defense Authorization Bill for Fiscal Year 1994 has authorized 
$800,000 to be spent by the National Research Council of the National Academy of 
Sciences to conduct a study of federal encryption policy. Can we wait to implement 
the key escrow encryption program until we have the benefit of the NRC's study? 
Do you think this study is necessary? Should this study be expedited? 

Answer 1. We do not believe that we can wait until after the NRC studjr is com- 
pleted in 1996 to begin implementation of the key escrow initiative. The information 
technology industry is dynamic and fast-moving, and to wait another two years or 
more would, we beUeve, jeopardize the success of the initiative. Industry demand 
for encryption products is growing, and the technology is available now to meet that 
demand with encryption products that provide an outstanding level of seciuity to 
the user without making it impossible for law enforcement agencies to conduct law- 
fiil wiretaps. To wait for the completion of the NRC study would make it much more 
likely that the market would tiun to other encryption products which would defeat 
lawful wiretaps. We beUeve that such a delay would not be in the best interest of 
the American people. 

Neither do we believe that the study should be expedited. For our part, we will 
carefully consider the conclusions of the NRC study. We expect that it will give very 
careful consideration to the issues, and we would not want the pressure of an un- 
necessarilv short deadline to limit the study group's abiUty to produce the best re- 
port possible. 

Question 2. The Administration has said that it is continuing to restrict export 
of the most sophisticated encryption devices, in part, "because of the concerns of our 
allies who fear that strong encryption technology would inhibit their law enforce- 
ment capabilities." Do we really need to help our alUes by prohibiting the export 
of strong American encryption products, since those same countries can simply con- 
trol the encryption bought within their borders? 

Answer 2. Exports of encryption products are subject to review primarily to pro- 
tect U.S. national interests, including national security, law enforcement, foreign 
poUcy, and other important interests. The law enforcement concerns of our aUies are 
a consideration, especially as the abiUty of our allies to combat terrorism, drug traf- 
ficking, and other international law enforcement problems can have direct benefits 
to the United States. However, foreign law enforcement concerns do not drive our 
export control policy. We would continue to review encryption exports to protect U.S. 
national interests even if foreign law enforcement concerns disappeared. 

Question 3. Do you know whether foreign governments would be interested in im- 
porting key escrow encryption products to which they hold the decoding keys? 

Answer 3. Several foreign governments have expressed interest in key escrow 
encryption technology due to their own law enforcement concerns. There have been 
some preliminary discussions, but issues such as who would hold the escrowed keys 
and the circumstances of government access to escrowed keys must be fully vetted. 

Question 4. Th6 Government wants the key escrow encryption standard to become 
the de facto industry standard in the United States. Would the Government aban- 
don the CUpper Chip program if it is shown to be unsuccessful beyond government 

Answer 4. We do not expect the program to be unsuccessful beyond government. 
We have developed a sound security product that we expect will find many uses in 
government information systems and further beUeve that government use will bring 
with it a commercial market, particularly in the defense sector. We have developed 
a sound security product that we expect will find many uses in government informa- 
tion systems regardless of its success in commercial markets. 

Question 5. Openly available devices, such as Intel-compatible microprocessors, 
have seen dramatic gains, but only because everyone was free to try to build a bet- 
ter version. Given the restrictions on who can build devices with the classified Skip- 
jack algorithm, how will key escrow chips keep up with advances in semiconductor 
speed, power, capacity and integration? 

Answer 5. Despite the requirements that a firm must meet to produce key escrow 
encryption chips, we expect that there will be a number of manufacturers competing 
against each other to produce the best product, and that such competition will drive 
them to keep up with the latest technological advances. It is worth noting that only 
a few companies can produce the sophisticated microprocessors you reference, yet 
the competition in that market has driven them to achieve remarkable advances in 
that technology. NSA's STU-III secure telephone program provides an example of 
a cryptographic product line that keeps pace with technology. 


The presence of a classified algorithm does not preclude keeping pace with tech- 
nology. Through NSA's use of a competitive, multi-vendor approach, STU-III secure 
telephone products have continued to evolve in response to user requirements and 
technologic^ advances despite their use of a classified encryption algorithm and the 
consequent need for security restrictions on the manufactvu-ers. 

Question 6. How well does the Skipjack algorithm work on telecommunications op- 
erating at very high speeds? Is NSA working on another algorithm, called BATON, 
that could be used at high speeds with a key escrow system? Will Capstone be com- 
patible with BATON? , , ^ OT^TT,T*r.T^ 

Answer 6. Using currently available microelectromcs technology, the bKlfJACK 
algorithm could not be used for encryption at very high speeds. BATON is the name 
of an algorithm developed by NSA that could be used at higher rates of speed. We 
have no plans to develop key escrow encryption devices using BATON, however. In- 
stead, we are considering another algorithm for use at high speeds with a key es- 
crow system. , u v otrrn T A nv 

A high-speed key escrow device based on an algorithm other than SKIPJACK 
would not be "compatible with Capstone" in the sense that traffic encrypted by such 
a device could not be decrypted by Capstone, and vice versa. However, since such 
a device would be used for much higher-speed applications than those for which 
Capstone was designed, there would be no need tor it to be compatible with Cap- 
stone in that sense. 

Question 7. Can Capstone be used to encrypt video programming? If so, have cable 
companies been approached by any government agency to use Capstone to scramble 
or encrypt cable programs? 

Answer 7. Capstone could be used to encrypt any digital signal, including video 
programming, operating at up to about 10 million bits per second. It could be used 
for encrypting individual video channels but not for bulk encryption of many chan- 
nels multiplexed together in a single hnk. NSA is not aware of any government 
agency approaching cable companies to urge the use of Capstone. Two manufactur- 
ers have asked us about the suitabiHty of key escrow devices for this purpose, how- 

Question 8. Encryption sofl;ware is available that can be used with Clipper to 
encrypt a message before or after it has been encrypted with Clipper. This 'double 
encrypting" risks bypassing the key escrow feature. If a sender first encrypts the 
message with software using DES, and then transmits the message double 
encrypted" with CUpper, can you tell fi-om looking at the cipher, or encrypted text, 
that the underlying message was encrypted? . 

Answer 8. The only way to tell that a message has been "double encrypted in 
this way would be to decrypt the "outer layer" of encryption, i.e. that done with 
Clipper. Only then would one be able to tell that the message had first been 
encrypted with something else. 

Answers to Questions From Senator Pressler to Vice Admiral J.M. 


Question 1. Admiral as you are aware, critics of the Administration's proposal 
argue that as a practical matter, no criminal, foreign spy, or terrorist of any sophis- 
tication would be fooUsh enough to use an encryption device designed by the NSA 
and approved by the FBI. How do you lespond? Why do[n't you] think the people 
whose telecommunications the NSA and the FBI want most to decode will be the 
very people most unlikely to use this technology? 

Answer 1. From what we know today, the overriding requirement that spies, ter- 
rorists, and criminals have is for readily available and easy to use equipment that 
interoperates. Key escrow encryption is not meant to be a tool to catch criminals. 
It will make excellent encryption available to legitimate businesses and private citi- 
zens without allowing criminals to use the telecommunications system to plan and 
commit crimes with impunity. We beheve it would be irresponsible for government 
to make excellent encryption broadly available knowing that its use by criminals 
would make it impossible for law enforcement agencies to conduct lawful wiretaps 
against them. 

The Department of Justice credits information gleaned through wiretaps as lead- 
ing to more than 20,000 felony convictions since the early 1980s. This would not 
have been possible if the criminals had been using encryption systems the FBI could 
not break. 

Without government action, however, this fortunate situation will change. At 
present most people, and most criminals, don't use encryption. However, there is an 
increasing public awareness of the value of encryption for protecting private per- 


^^^ 3 9999 6'5982" 914 1 

sonal and business communications. Increasing demand for encryption by the puDuc 
will likely lead to the widespread use of some form of standardized encryption on 
the pubUc telecommunications network. . 

This development would have great benefits for the country. Legitimate busi- 
nesses and private individuals could use the telecommunications system secure in 
the knowle^e that their private information such as business records and credit 
card numbers could not be intercepted by third parties. 

But there is a down side. Criminals, terrorists, and others could also use the sys- 
tem to plan crimes, launder money, and the hke, completely secure in the knowl- 
edge that law enforcement agencies could not listen to those communications. Just 
as legitimate businesses operate much more efficiently and effectively using the 
telecommunications system than they could without it, so will criminal enterprises 
be able to operate more efficiently and effectively if they no longer have to avoid 
using the telecommunications system. 

The United States is faced with a choice. We can sit back and watch as the emerg- 
ing national information infrastructure becomes a valuable tool for criminals and 
terrorists to use to plan and carry out their activities with complete securi^, or we 
can take steps to maintain the current ability of government to conduct lawful wire- 
taps so that prudent criminals will have to find other less efficient ways to operate 
and foolish ones may be caught. Key escrow encryption is the latter option. 

Question 2. Would widespread use of the Skipjack algorithm harm U.S. exports? 
Do you think it is unlikely foreign businesses will purchase American encryption 
technology if the U.S. Government holds a set of the decoding keys? 

Answer 2. I do not believe that widespread use of key escrow encryption in the 
United States will harm U.S. exports. If it has any effect at all, it could increase 
exports somewhat. Key escrow encryption products provide another option for for- 
eign purchasers that they have not had in the past; to the extent that foreigners 
do purchase key escrow encryption products, it will mean an increase in exports. 
Meanwhile, U.S. exporters are free to continue to sell the products they currently 
sell in foreign markets and to seek license approvals for new products. 

It is difficult to predict the foreign market for U.S. key escrow encryption tech- 
nology. Businesses that fear U.S. Government interception of their communications 
presumably would avoid products for which the U.S. Government holds keys. How- 
ever, there are a number of reasons why foreign businesses might purchase them. 
One major reason would be to communicate securely with U.S. businesses that use 
them. In addition, the superior level of security provided by key escrow products 
(against all but lawful U.S. Government access) may make them attractive to for- 
eign businesses that do not view U.S. Government access as a major concern. While 
some prospective users abroad may steer clear of key escrow products because the 
United States will retain access, there may be many who beUeve they are unlikely 
to be targeted by U.S. intelligence in any case or for whom the superior security 
offered by key escrow encryption products against threats of greater concern may 
make key escrow products an attractive option. For example, a distributor of pay- 
TV programming may depend on encryption to ensure that only those viewers who 
pay for the service can decrypt the TV signal. Such a distributor probably would 
not be concerned about the threat of access by the United States Government, and 
might favor suitable key escrow encryption products over competing products that 
use weaker encryption algorithms. 

Question 3. You were present when the previous panehst, Stephen Walker, de- 
scribed how present U.S. laws prohibit his company from exporting encryption prod- 
ucts. As I understand it. Senator Murray's bill, S. 1846, attempts to relax these ex- 
port controls somewhat. Please give us your views on this legislation. 

Answer 3. I support the Administration's position, as announced by the White 
House on February 4, that current export controls must remain in place and that 
regulatory changes should be implemented to speed exports and reduce the hcensing 
burden on exporters. The bill you reference appears to be inconsistent with the Ad- 
ministration position. I would be happy to provide you further information on the 
Administration's reasons for maintaining the current export controls in an appro- 
priate setting. 

Answer to a Question From Senator Murray to Vice Admiral McConnell 

Question 1. In my office in the Hart building this February, I downloaded from 
the Internet an Austrian program that uses DES encryption. This was on a laptop 
computer, using a modem over a phone Une. The Software PubUshers Association 
says there are at least 120 DES or comparable programs worldwide. However, U.b. 
export control laws prohibit American exporters from selling comparable DES pro- 


grams abroad. With at least 20 million people hooked up to the Internet, how do 
U.S. export controls actually prevent criminals, terrorists, or whoever from obtain- 
ing DES encryption software? 

Answer 1. Serious users of encryption do not entrust their secxuity to software 
distributed via networks or bulletin boards. There is simply too much risk that vi- 
ruses, Trojan Horses, programming errors, and other security flaws may exist in 
such software which could not be detected by the user. Serious users of encryption, 
those who depend on encryption to protect valuable data and cannot afford to take 
such chances, instead turn to other sources in which they can have greater con- 
fidence. Such serious users include not only entities which may threaten U.S. na- 
tional secvirity interests, but also businesses and other major consumers of 
encryption products. Encryption software distribution via Internet, bulletin board, 
or modem does not undermine the effectiveness of encryption export controls. 


ISBN 0-16-047780-8 

9 780160"477805